[mssms] RE: Installing 1710 Hotfix - one server has error

[Heaton, Joseph@Wildlife]

Ok, so I went with Option 1, and it looks better.  Executing SQL scripts, etc, 
which it didn't get to last time.

From: Heaton, Joseph@Wildlife
Sent: Tuesday, February 6, 2018 6:41 AM
To: 'mssms@lists.myitforum.com' 
Subject: Installing 1710 Hotfix - one server has error

So, the installation of the 1710 hotfix went perfectly on my Primary site 
server, and 14 of 15 Secondary site servers.  On one, however, it failed.  
ConfigMgrSetup.log shows:

INFO:  User defined 5130 objects on this database.
ERROR: SQL Server Database has user defined objects, cannot configure database.

Just prior to these, the log talks about dropping the database, and then 
throwing errors because it failed to drop it, because it was in use.  Then, 
seconds later, it says it tested SQL Server connection successfully, starts 
stopping services, tries to copy initial setup files, and then a block of 
errors about not finding those source files.  Then it proceeds like everything 
is good, then the messages I stated above.


I found one Technet thread on this, where SergIT says he just deleted the SQL 
instance, and let the install go, but that was an initial install, not exactly 
the same situation.  I was thinking of just trying the hotfix install again, to 
see if I get different results, but wanted to reach out to you guys first.

Options I'm looking at:


1)   Re-run the hotfix install

2)   Delete the database, and recover the secondary again?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] Installing 1710 Hotfix - one server has error

[Heaton, Joseph@Wildlife]

So, the installation of the 1710 hotfix went perfectly on my Primary site 
server, and 14 of 15 Secondary site servers.  On one, however, it failed.  
ConfigMgrSetup.log shows:

INFO:  User defined 5130 objects on this database.
ERROR: SQL Server Database has user defined objects, cannot configure database.

Just prior to these, the log talks about dropping the database, and then 
throwing errors because it failed to drop it, because it was in use.  Then, 
seconds later, it says it tested SQL Server connection successfully, starts 
stopping services, tries to copy initial setup files, and then a block of 
errors about not finding those source files.  Then it proceeds like everything 
is good, then the messages I stated above.


I found one Technet thread on this, where SergIT says he just deleted the SQL 
instance, and let the install go, but that was an initial install, not exactly 
the same situation.  I was thinking of just trying the hotfix install again, to 
see if I get different results, but wanted to reach out to you guys first.

Options I'm looking at:


1)   Re-run the hotfix install

2)   Delete the database, and recover the secondary again?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: Defender Application Control

[Heaton, Joseph@Wildlife]

Well, if it blocks notepad, it has no way to read the text file.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Aubrey
Sent: Thursday, February 1, 2018 5:22 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Defender Application Control

Has anyone used Defender Application Control policy in SCCM yet?  I have a 
basic policy with the "Authorize software that is trusted by the Intelligent 
Security Graph" option enabled.  Once my test PC checks in, notepad doesn't 
work and if I reboot, the system is bricked and won't boot.  Says it can't 
access a txt file that is used for event logs.  I would have thought the 
Intelligent Security Graph option would at least let Windows boot

[mssms] RE: Thoughts on Office 365 in the Enterprise?

[Heaton, Joseph@Wildlife]

There is a deployment tool from Microsoft, so that you can use cloud Office, 
and on-prem Visio/Project.  Our desktop folks are looking into it.  From the 
reading so far, it can be a bit buggy, but it is there.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Bradnan, Jerry
Sent: Tuesday, January 30, 2018 3:27 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Thoughts on Office 365 in the Enterprise?

One drawback; if you're deploying MS Project or MS Visio (MSI Based installs), 
you cannot run the CTR versions of Office.

On the plus side, the immediate feature updates are nice.

Jerry


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Eric Morrison
Sent: Tuesday, January 30, 2018 16:02
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Thoughts on Office 365 in the Enterprise?

If you use Office 365 for email, skype, or other services, I think it make 
sense.

We went with full Microsoft 365 Suite with ATP and it has worked out really 
well. But yes, you go to per user licensing.

Thanks,

Eric

Sent from Mail for Windows 10

From: John Aubrey
Sent: Tuesday, January 30, 2018 2:30 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Thoughts on Office 365 in the Enterprise?

Focus inbox for Outlook is only available in the 365 version.  I wouldn't be 
surprised to see C2R as the only version of Office 2019.  There will still be 
the traditional Pro Plus, but will be one installer for Office vs 2 now.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Tuesday, January 30, 2018 1:19 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Thoughts on Office 365 in the Enterprise?

It's licensed per user rather than per computer so your users can have it on 
multiple devices.

Downside is that you can no longer legally deploy the msi installer of Office, 
only the CTR version.




From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mike Murray
Sent: Tuesday, January 30, 2018 11:37 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Thoughts on Office 365 in the Enterprise?

We're already licensed for regular ol' Office, any advantage moving to 365?


Best Regards,

Mike Murray
Desktop Engineer/IT Consultant - IT Support Services
California State University, Chico
530.898.4357
mmur...@csuchico.edu

Remember, Chico State will NEVER ask you for your password via email!
For more information about recognizing phishing scam emails go to: 
http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml

RE: [mssms] Deploying the .NET registry entries

[Heaton, Joseph@Wildlife]

That’s what I needed to know, thank you.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Tuesday, January 23, 2018 1:49 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Deploying the .NET registry entries

.NET Registry Keys?  Or are you talking about Meltdown/Spectre?  That third one 
is for Hyper-V Hosts

On Tue, Jan 23, 2018 at 2:25 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, I created a deployment package, with a batch file containing the 3 reg add 
commands.  I’ve deployed it to 3 test servers.  2 of the 3 reg keys are 
created, no problem, but the 3rd, under HKLM\Software, doesn’t get created.  If 
I copy the batch file locally, and run it, this key does get created.  The 
account being used to deploy the package is a local admin on every box in my 
environment.  And the oddest part, to me, is that the deployment comes up 
green, as if all 3 had been created.  Has anyone else had this experience?  Is 
there a better way of deploying these reg adds?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] Deploying the .NET registry entries

[Heaton, Joseph@Wildlife]

So, I created a deployment package, with a batch file containing the 3 reg add 
commands.  I've deployed it to 3 test servers.  2 of the 3 reg keys are 
created, no problem, but the 3rd, under HKLM\Software, doesn't get created.  If 
I copy the batch file locally, and run it, this key does get created.  The 
account being used to deploy the package is a local admin on every box in my 
environment.  And the oddest part, to me, is that the deployment comes up 
green, as if all 3 had been created.  Has anyone else had this experience?  Is 
there a better way of deploying these reg adds?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: Questions around deploying with SCCM/SCUP

[Heaton, Joseph@Wildlife]

I think the only way it would go back and forth, is if you select "Always 
rerun".  I typically select "rerun upon failure", or something to that effect.

So, deploy the base app with SCCM, then import and upgrade/patch using the SCUP 
import.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Chris Carbone
Sent: Tuesday, January 23, 2018 9:15 AM
To: 'mssms@lists.myitforum.com' 
Subject: [mssms] Questions around deploying with SCCM/SCUP

Hello All,

This is probably a goofy question but wanted to see how others are handling 
this. We recently purchased PatchMyPC licenses to leverage patching 3rd party 
applications. I was not aware that this will only update existing installed 
applications and you cannot use it for pushing software to machines that never 
had the software installed.

How is everyone handling I guess the, "base" version of your applications in 
SCCM? Do you just update the detection method to include the newest build from 
SCUP so it will always show as compliant in software center? Or do you update 
the base version every so often? I guess if you are not careful and push out 
the base application and leave it out there, then down the road also push out a 
newer update with the SCUP version, the machine will go back and forth 
installing the old one and newer one.

I also have a couple steps in my TS to install applications during OSD and I 
guess with SCUP when it imports into SCCM, shows up as a software update. I 
know how software updates and task sequences do not work all that great. Are 
you also not using SCUP/PatchMyPC for OSD applications? Or found a dependable 
way to do this?

Thanks in advance!

Chris
This electronic mail transmission may contain confidential information intended 
only for the use of the individual(s) identified as addressee(s). If you are 
not the intended recipient, you are hereby notified that any disclosure, 
copying, distribution or the taking of any action in reliance on the contents 
of this electronic mail transmission is strictly prohibited. If you have 
received this transmission in error, please notify me by telephone immediately.

[mssms] WSUS sync schedule?

[Heaton, Joseph@Wildlife]

I just completed the WSUS maintenance for my ConfigMgr install.  Prior to the 
maintenance, I went into the configuration for my SUP, and deselected the box 
to "Enable synchronization on a schedule".  I never touched the sync schedule 
in WSUS.  When I look at it now, in WSUS, it shows as Manual.  That doesn't 
sound right to me, but before changing it, I wanted to verify here.  Does the 
SUP manually kick off a WSUS sync on its schedule, or do I have to setup a sync 
schedule in WSUS, as well?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

RE: [mssms] Upgrading Config Mgr

[Heaton, Joseph@Wildlife]

That's what I was thinking, thanks.  My plan is to update the primary one 
night, then the secondaries the next day in the office.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Robert Spinelli
Sent: Wednesday, December 20, 2017 9:29 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Upgrading Config Mgr

Personally I wait a few hours to make sure it's all working before I move onto 
the secondary.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, December 19, 2017 7:05 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

Sorry to interrupt the hijack :P, but a quick question on my original question

Do you guys wait any real amount of time between updating the primary site, and 
the secondary sites?  Or do you update the secondaries as soon as the primary 
is complete?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Tuesday, December 19, 2017 12:23 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

Echoing some of the comment below I'd like to say that the PFE may say it's a 
"best practice" but I'd challenge him to provide some official documentation 
that states that. I'd also ask for references for the PFE, I've had some bad 
experiences with Microsoft PFE's who claim to be experts in ConfigMgr, I'm not 
by any means saying there are not any good ones, but I am saying  that is the 
goods ones are booked MCS will absolutely send someone to you who is not 
actually a specialist in ConfigMgr because that guy is sitting on the bench 
costing them money.



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Robert Spinelli
Sent: Tuesday, December 19, 2017 10:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

You really should ask again for 2nd opinion / clarification why this needs to 
be done.

If you doing months of work for something you don't need to do and I was the 
SCCM team I would be pretty unhappy.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Tuesday, December 19, 2017 10:05 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

The SCCM team worked with our TAM to get an SCCM PFE to come up with the safest 
solution for getting off of this cluster.  Trust me, I'm watching a train of 
SCCM releases roll by with numerous features I would love to take advantage of. 
 But I'm not on the SCCM architect team, so my OSD opinions and wants are 
irrelevant.  :)

Mike

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dam, Bryan
Sent: Tuesday, December 19, 2017 9:50 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

Yea, we've just done that twice in the last two months to get to SQL 2016 
without any problems on the ConfigMan side of things.  I mean ... what's your 
disaster recovery plan if you can't reliably restore the database to a new 
server?
  Bryan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, December 19, 2017 9:28 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

I don't your PFE and I don't know all of the details involved here, but based 
on what has been written below, no way. Also, be skeptical of anyone who simply 
says "best practice" as that typically implies they don't actually know any 
technical details and are blindly following some generic recommendation that 
doesn't take your environment, requirements, and circumstances into account.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Robert Spinelli
Sent: Tuesday, December 19, 2017 8:47 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

Yeah, this seems weird to me.  Full disclosure I haven't done much with SQL 
clusters and SCCM so maybe there is something I'm missing.

I know if you want to use another SQL server for SCCM you can perform a site 
reset and 

RE: [mssms] Upgrading Config Mgr

[Heaton, Joseph@Wildlife]

:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Monday, December 18, 2017 11:32 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

The Microsoft PFE for SCCM said that it is Microsoft's best practice to do a 
side-by-side migration as opposed to doing something like a backup and restore 
of the SQL database to a new cluster.

Our SQL team wanted to do a simple backup and restore to the new cluster, but 
we burned some Premier hours and the PFE advised us that doing that risked 
corrupting the entire database and forcing us into a site recovery.  He said 
the only way to properly do it was the migration.  He said we could try the 
backup/restore but that the success rate for that was not good.

So we're spending months doing a side-by-side migration.

Mike



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Robert Spinelli
Sent: Monday, December 18, 2017 2:11 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

You must have something else going on with your site.  It doesn't make sense 
you would need to do site by site over just moving to new SQL cluster.  If your 
saying you're doing it up to clean old crap that's different.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Friday, December 15, 2017 7:12 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

Same here.  We would never be able to just click "go" without a vetted plan in 
place and change management involved.  With 35K clients we are by no means a 
large organization, but if something were to go sideways in the upgrade and we 
skipped the planning and control, there wouldn't be enough time to update 
resumes once they came for us.

On top of that there are other factors to figure in before you click "go".  For 
example, in our case we are going to have to do a side-by-side site migration 
because our SQL cluster is no longer supported (hardware is out of warranty).  
Best practices from the Microsoft PFE was to do a site migration as opposed to 
attempting to just moving the database to a new cluster.  So we're going to 
spend a great deal of time migrating content, collections, sequences, etc. to 
the new site servers, test and validate it all, then start migrating clients.

Then we can click "go" and upgrade the new site to 18xx.

Mike

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mawdsley R.
Sent: Friday, December 15, 2017 3:55 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

It's the same here.. and, I'd hope everywhere have some form of change control. 
 Although it obviously depends on how big the shop is.

I think everyone who has been through a failed upgrade at some point in time, 
is always slightly more weary of the potential for downtime.

Personally, I'll upgrade my Dev environment a week or so after its out in Fast 
Ring.. then Prod a few weeks after its general release.  But I'll submit a 
change, and communicate its upcoming upgrade to all relevant teams long before 
and in the build up to it being done.

Rich Mawdsley

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: 14 December 2017 16:35
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

My organization requires a more formal plan for any updates.  And it goes 
through a weekly approval board, so I still have to line everything up nicely.  
I got the go-ahead to upgrade ADK today, but the server updates haven't gone to 
the approval board yet.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stuart Watret
Sent: Wednesday, December 13, 2017 12:19 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Upgrading Config Mgr

You must be using lots of new features if you need a plan :) :)
Run the pre-requ check that would tell you if 1702 to 1706 will work (it will)

With quarterly updates I wouldn't spend to long planning !

Backup and press go...


Stuart


On 12 Dec 2017, at 18:07, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:

I am currently running 1702.  I've written up my plans and method for upgrading 
to 1706, but over the weekend 1710 showed up in my availables.  I have seen 
some 

RE: [mssms] Upgrading Config Mgr

[Heaton, Joseph@Wildlife]

l. 
 Although it obviously depends on how big the shop is.

I think everyone who has been through a failed upgrade at some point in time, 
is always slightly more weary of the potential for downtime.

Personally, I’ll upgrade my Dev environment a week or so after its out in Fast 
Ring.. then Prod a few weeks after its general release.  But I’ll submit a 
change, and communicate its upcoming upgrade to all relevant teams long before 
and in the build up to it being done.

Rich Mawdsley

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: 14 December 2017 16:35
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading Config Mgr

My organization requires a more formal plan for any updates.  And it goes 
through a weekly approval board, so I still have to line everything up nicely.  
I got the go-ahead to upgrade ADK today, but the server updates haven’t gone to 
the approval board yet.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stuart Watret
Sent: Wednesday, December 13, 2017 12:19 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Upgrading Config Mgr

You must be using lots of new features if you need a plan :) :)
Run the pre-requ check that would tell you if 1702 to 1706 will work (it will)

With quarterly updates I wouldn’t spend to long planning !

Backup and press go…….


Stuart


On 12 Dec 2017, at 18:07, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:

I am currently running 1702.  I’ve written up my plans and method for upgrading 
to 1706, but over the weekend 1710 showed up in my availables.  I have seen 
some really cool stuff coming with 1710, but is it still too soon for 
production?  Can I upgrade from 1702 directly to 1710?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284





**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues





--
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blog: 
http://mnscug.org/blogs/sherry-kissinger<https://urldefense.proofpoint.com/v2/url?u=http-3A__mnscug.org_blogs_sherry-2Dkissinger&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=8W05-ToKtZdWVatHir2IiQ&m=dzytjgWen4upRvAi5jmGvc9VoLsC-9TZSSOMqoNAnuY&s=tdcDnOO59GQiYPlt0GdnkwSPAYl1bmboQIbrc9kvoN0&e=>

RE: [mssms] Upgrading Config Mgr

[Heaton, Joseph@Wildlife]

My organization requires a more formal plan for any updates.  And it goes 
through a weekly approval board, so I still have to line everything up nicely.  
I got the go-ahead to upgrade ADK today, but the server updates haven’t gone to 
the approval board yet.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stuart Watret
Sent: Wednesday, December 13, 2017 12:19 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Upgrading Config Mgr

You must be using lots of new features if you need a plan :) :)
Run the pre-requ check that would tell you if 1702 to 1706 will work (it will)

With quarterly updates I wouldn’t spend to long planning !

Backup and press go…….


Stuart




On 12 Dec 2017, at 18:07, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:

I am currently running 1702.  I’ve written up my plans and method for upgrading 
to 1706, but over the weekend 1710 showed up in my availables.  I have seen 
some really cool stuff coming with 1710, but is it still too soon for 
production?  Can I upgrade from 1702 directly to 1710?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] Upgrading Config Mgr

[Heaton, Joseph@Wildlife]

I am currently running 1702.  I've written up my plans and method for upgrading 
to 1706, but over the weekend 1710 showed up in my availables.  I have seen 
some really cool stuff coming with 1710, but is it still too soon for 
production?  Can I upgrade from 1702 directly to 1710?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] SQL compatibility level

[Heaton, Joseph@Wildlife]

Is there any reason to not have your SQL compatibility level for the CM 
database at the same level as the SQL installed?  i.e., I'm running SQL 2014, 
but my CM_xxx database is at 2012 compatibility level.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: Weird status message for server patching

[Heaton, Joseph@Wildlife]

So, I babysat the SCCM server yesterday, and the WSUSPool stopped a couple of 
other times through the day.  This morning, the app pool is running, but I do 
still see 9 instances of w3wp.exe running in Task Manager, one of which is 
using over 3GB of memory, and another right around 1GB.  Is this because WSUS 
is still trying to download the Win 10 updates?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dam, Bryan
Sent: Tuesday, November 28, 2017 8:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Weird status message for server patching

> Are your recommendations tempered at all by the fact I use SCCM
Not at all.

>normally don't interact directly with WSUS at all?
And that's the problem. It's understandable since for years that was the mantra 
but you can no longer ignore WSUS.  Doing so is practically guaranteed to lead 
to the issues you are seeing.  If you find comfort in such a thing, you are not 
alone.

 Bryan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 28, 2017 10:36 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

Thanks for the response Jason.  As I mentioned to Bryan, I do see the issue, 
and I will definitely take a look at the references.

Are your recommendations tempered at all by the fact I use SCCM, so normally 
don't interact directly with WSUS at all?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Monday, November 27, 2017 7:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

Also,


Have you

- Declined all superseded updates directly in WSUS?

- Adjusted the private memory limit on the WSUS IIS App Pool?

- Adjusted the queue length on the WSUS IIS App Pool?

- Have you reindexed the DB and rebuilt its statistics?

- Have you applied the latest CU to the OS hosting the WSUS instance?

References:

- 
https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.technet.microsoft.com_configurationmgr_2016_01_26_the-2Dcomplete-2Dguide-2Dto-2Dmicrosoft-2Dwsus-2Dand-2Dconfiguration-2Dmanager-2Dsup-2Dmaintenance_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=MpiznPBibELJh9A0aYm40akC6C9UDRwSNhIu2MZBl5k&e=>

- 
http://blog.ctglobalservices.com/configuration-manager-sccm/kea/house-of-cardsthe-configmgr-software-update-point-and-WSUS/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.ctglobalservices.com_configuration-2Dmanager-2Dsccm_kea_house-2Dof-2Dcardsthe-2Dconfigmgr-2Dsoftware-2Dupdate-2Dpoint-2Dand-2DWSUS_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=Ogl85NqjMkfm71D8FS2YbbTuDciYTpUJuG_8ATFF75g&e=>

- 
https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.msdn.microsoft.com_the-5Fsecure-5Finfrastructure-5Fguy_2015_09_02_windows-2Dserver-2D2012-2Dr2-2Dwsus-2Dissue-2Dclients-2Dcause-2Dthe-2Dwsus-2Dapp-2Dpool-2Dto-2Dbecome-2Dunresponsive-2Dwith-2Dhttp-2D503_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=8jGwOWeZbc7liq1pjkuHWbp1VeEBQ8LOENpqZuvoAe8&e=>

- 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.technet.microsoft.com_configurationmgr_2017_08_18_high-2Dcpuhigh-2Dmemory-2Din-2Dwsus-2Dfollowing-2Dupdate-2Dtuesdays_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=AMDEiOGN95tpVGx80k2aAiXYyWUWzHcmUu7Uxskp5j4&e=>
J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dam, Bryan
Sent: Monday, November 27, 2017 3:30 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

That suggests an issue with your WSUS/SUPs.  Make sure the WSUS IIS app pool 
(WsusPool) is started.  Then review this: 
https://blogs.technet.microsoft.com/configurationm

[mssms] RE: Weird status message for server patching

[Heaton, Joseph@Wildlife]

Only consistent thing in the IT field is that things change.  I will have to 
find the time to include the WSUS/SUP maintenance.  Just wish SCCM wasn't 
expected to be such a small part of my role here.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dam, Bryan
Sent: Tuesday, November 28, 2017 8:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Weird status message for server patching

> Are your recommendations tempered at all by the fact I use SCCM
Not at all.

>normally don't interact directly with WSUS at all?
And that's the problem. It's understandable since for years that was the mantra 
but you can no longer ignore WSUS.  Doing so is practically guaranteed to lead 
to the issues you are seeing.  If you find comfort in such a thing, you are not 
alone.

 Bryan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 28, 2017 10:36 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

Thanks for the response Jason.  As I mentioned to Bryan, I do see the issue, 
and I will definitely take a look at the references.

Are your recommendations tempered at all by the fact I use SCCM, so normally 
don't interact directly with WSUS at all?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Monday, November 27, 2017 7:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

Also,


Have you

- Declined all superseded updates directly in WSUS?

- Adjusted the private memory limit on the WSUS IIS App Pool?

- Adjusted the queue length on the WSUS IIS App Pool?

- Have you reindexed the DB and rebuilt its statistics?

- Have you applied the latest CU to the OS hosting the WSUS instance?

References:

- 
https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.technet.microsoft.com_configurationmgr_2016_01_26_the-2Dcomplete-2Dguide-2Dto-2Dmicrosoft-2Dwsus-2Dand-2Dconfiguration-2Dmanager-2Dsup-2Dmaintenance_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=MpiznPBibELJh9A0aYm40akC6C9UDRwSNhIu2MZBl5k&e=>

- 
http://blog.ctglobalservices.com/configuration-manager-sccm/kea/house-of-cardsthe-configmgr-software-update-point-and-WSUS/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.ctglobalservices.com_configuration-2Dmanager-2Dsccm_kea_house-2Dof-2Dcardsthe-2Dconfigmgr-2Dsoftware-2Dupdate-2Dpoint-2Dand-2DWSUS_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=Ogl85NqjMkfm71D8FS2YbbTuDciYTpUJuG_8ATFF75g&e=>

- 
https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.msdn.microsoft.com_the-5Fsecure-5Finfrastructure-5Fguy_2015_09_02_windows-2Dserver-2D2012-2Dr2-2Dwsus-2Dissue-2Dclients-2Dcause-2Dthe-2Dwsus-2Dapp-2Dpool-2Dto-2Dbecome-2Dunresponsive-2Dwith-2Dhttp-2D503_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=8jGwOWeZbc7liq1pjkuHWbp1VeEBQ8LOENpqZuvoAe8&e=>

- 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.technet.microsoft.com_configurationmgr_2017_08_18_high-2Dcpuhigh-2Dmemory-2Din-2Dwsus-2Dfollowing-2Dupdate-2Dtuesdays_&d=DwMFAg&c=NjgxpSSi0c1nSHFRGItzyA&r=KWpqtEEfXhZfmzEhpZYWbkTAjRbCjXuhffs_frSMo9A&m=Tr-Psakt7NuoMRPjk6gJ7nkyJwbWOPG3sLWltQH-UXw&s=AMDEiOGN95tpVGx80k2aAiXYyWUWzHcmUu7Uxskp5j4&e=>
J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dam, Bryan
Sent: Monday, November 27, 2017 3:30 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

That suggests an issue with your WSUS/SUPs.  Make sure the WSUS IIS app pool 
(WsusPool) is started.  Then review this: 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.technet.micro

[mssms] RE: Weird status message for server patching

[Heaton, Joseph@Wildlife]

Thanks for the response Jason.  As I mentioned to Bryan, I do see the issue, 
and I will definitely take a look at the references.

Are your recommendations tempered at all by the fact I use SCCM, so normally 
don't interact directly with WSUS at all?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Monday, November 27, 2017 7:58 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Weird status message for server patching

Also,


Have you

- Declined all superseded updates directly in WSUS?

- Adjusted the private memory limit on the WSUS IIS App Pool?

- Adjusted the queue length on the WSUS IIS App Pool?

- Have you reindexed the DB and rebuilt its statistics?

- Have you applied the latest CU to the OS hosting the WSUS instance?

References:

- 
https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

- 
http://blog.ctglobalservices.com/configuration-manager-sccm/kea/house-of-cardsthe-configmgr-software-update-point-and-WSUS/

- 
https://blogs.msdn.microsoft.com/the_secure_infrastructure_guy/2015/09/02/windows-server-2012-r2-wsus-issue-clients-cause-the-wsus-app-pool-to-become-unresponsive-with-http-503/

- 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/
J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dam, Bryan
Sent: Monday, November 27, 2017 3:30 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Weird status message for server patching

That suggests an issue with your WSUS/SUPs.  Make sure the WSUS IIS app pool 
(WsusPool) is started.  Then review this: 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/

Note that the hotfixes there aren't silver bullets.  WSUS is going to need the 
resources it's going to need.  You can lessen that by applying the latest 
hotfixes and actively maintaining it.  However, when you sync updates and 
create a new catalog version your clients are all going to try to get it based 
on the schedule(s) you've set.  That's going to take CPU and Memory and at some 
point your SUP(s) are going to be overwhelmed.

Bryan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 21, 2017 7:28 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Weird status message for server patching

This month, I have a LOT of servers showing up as Errors for patching.  
However, when I log into these servers, it shows that all the updates installed 
successfully.  The most prominent error I get is 0x80244022:  Same as HTTP 
status 503 - the service is temporarily overloaded.

Problem is, these deployments were separated by a day, and really didn't have 
that many clients in them, one had 112 servers, and one had 34 servers.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: Weird status message for server patching

[Heaton, Joseph@Wildlife]

Thank you for the response.  The WSUSPool was indeed stopped.  However, I have 
no idea why that would have been.  I use SCCM, so I don't interact directly 
with WSUS ever.  It has always just worked.

I do see one or two w3wp.exe processes using quite a bit of memory, around 3GB 
between the two.  The app pool has stopped once more so far this morning.  I 
will definitely install the hotfix, to see if that helps, and take a look at 
the maintenance that is linked to in that article.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dam, Bryan
Sent: Monday, November 27, 2017 1:30 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Weird status message for server patching

That suggests an issue with your WSUS/SUPs.  Make sure the WSUS IIS app pool 
(WsusPool) is started.  Then review this: 
https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/

Note that the hotfixes there aren't silver bullets.  WSUS is going to need the 
resources it's going to need.  You can lessen that by applying the latest 
hotfixes and actively maintaining it.  However, when you sync updates and 
create a new catalog version your clients are all going to try to get it based 
on the schedule(s) you've set.  That's going to take CPU and Memory and at some 
point your SUP(s) are going to be overwhelmed.

Bryan

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 21, 2017 7:28 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Weird status message for server patching

This month, I have a LOT of servers showing up as Errors for patching.  
However, when I log into these servers, it shows that all the updates installed 
successfully.  The most prominent error I get is 0x80244022:  Same as HTTP 
status 503 - the service is temporarily overloaded.

Problem is, these deployments were separated by a day, and really didn't have 
that many clients in them, one had 112 servers, and one had 34 servers.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] Weird status message for server patching

[Heaton, Joseph@Wildlife]

This month, I have a LOT of servers showing up as Errors for patching.  
However, when I log into these servers, it shows that all the updates installed 
successfully.  The most prominent error I get is 0x80244022:  Same as HTTP 
status 503 - the service is temporarily overloaded.

Problem is, these deployments were separated by a day, and really didn't have 
that many clients in them, one had 112 servers, and one had 34 servers.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

RE: [mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

I figured out what the issue was.  There were a bunch of disabled users in the 
original list/group, which, apparently, SCCM doesn't care for.  Looks like I'm 
all good,

Thanks for all the help, guys.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 9:50 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Adding a list of users to a user collection

There's actually two different ways to write the query for the membership of 
those type collections. I don't have one in front of me though. One way each 
member of the group is displayed in the collection, the other way only the 
group name itself is displayed. If you use the way that each user is shown in 
the collection I think the user has to log out and back in after they are added 
to the group before they will show up. I don't do it that way for that reason.






Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 21, 2017 9:25 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Adding a list of users to a user collection

Ok, so it worked To a point.  For some reason, the user collection does not 
have the same number of members that the AD security group has.  It's over 100 
users short.  Any idea why that would happen?  User discovery is at the root of 
the domain, so should be getting all users, no matter where they are.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 6:36 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Adding a list of users to a user collection

Agreed... this is by far my preferred method for populating collections. You 
get the added flexibility of being able to reuse the groups  for other purposes 
too such as GPO's that are related to the software being deployed. At the law 
firm I left recently we used 1E shopping to populate the groups in a 
self-service manner which was super easy



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, November 20, 2017 1:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Adding a list of users to a user collection

Awesome, thanks.  I'll try that out.
Sent from my iPhone

On Nov 20, 2017, at 3:08 AM, Stuart Watret 
mailto:stu...@offshore-it.co.uk>> wrote:
Have to agree, our deployments are based on collections based on ad group 
member ships.
It's great.

Stuart

On 18 Nov 2017, at 03:51, Nemec, Dale 
mailto:dale.ne...@tektronix.com>> wrote:

We use an Active Directory security group, and SCCM pulls the users from the 
security group.

This is the Collection query we use:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.UserGroupName = 
"\\>"

Of course, you need to also discover the OU that the security group is in under 
your site Discovery settings.

Then use powershell to populate the AD security group.

This gives us the flexibility to allow our help desk technicians to add/remove 
users from the AD security group without having to grant access to the SCCM 
Admin Console.

We have different AD security groups for each user deployment.

Good luck!

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 17, 2017 3:30 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Adding a list of users to a user collection

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn't 
work.  So, I tried UPN, and that didn't work.  Then I tried putting the domain 
name in there with sam, and that didn't work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn't give very good 
examples.  Is that the way I should be looking, though?  And if so, what format 
does the user name need to be in to work?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and

RE: [mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

The query ended up as Dale wrote it earlier in this thread.  Over 1600 members 
showed up on initial membership update, and 2 more added this morning.  Still 
over 100 short.  Here's my query:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.SecurityGroupName = "Domain\\GroupName"

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 9:50 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Adding a list of users to a user collection

There's actually two different ways to write the query for the membership of 
those type collections. I don't have one in front of me though. One way each 
member of the group is displayed in the collection, the other way only the 
group name itself is displayed. If you use the way that each user is shown in 
the collection I think the user has to log out and back in after they are added 
to the group before they will show up. I don't do it that way for that reason.






Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, November 21, 2017 9:25 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Adding a list of users to a user collection

Ok, so it worked To a point.  For some reason, the user collection does not 
have the same number of members that the AD security group has.  It's over 100 
users short.  Any idea why that would happen?  User discovery is at the root of 
the domain, so should be getting all users, no matter where they are.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 6:36 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Adding a list of users to a user collection

Agreed... this is by far my preferred method for populating collections. You 
get the added flexibility of being able to reuse the groups  for other purposes 
too such as GPO's that are related to the software being deployed. At the law 
firm I left recently we used 1E shopping to populate the groups in a 
self-service manner which was super easy



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, November 20, 2017 1:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Adding a list of users to a user collection

Awesome, thanks.  I'll try that out.
Sent from my iPhone

On Nov 20, 2017, at 3:08 AM, Stuart Watret 
mailto:stu...@offshore-it.co.uk>> wrote:
Have to agree, our deployments are based on collections based on ad group 
member ships.
It's great.

Stuart

On 18 Nov 2017, at 03:51, Nemec, Dale 
mailto:dale.ne...@tektronix.com>> wrote:

We use an Active Directory security group, and SCCM pulls the users from the 
security group.

This is the Collection query we use:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.UserGroupName = 
"\\>"

Of course, you need to also discover the OU that the security group is in under 
your site Discovery settings.

Then use powershell to populate the AD security group.

This gives us the flexibility to allow our help desk technicians to add/remove 
users from the AD security group without having to grant access to the SCCM 
Admin Console.

We have different AD security groups for each user deployment.

Good luck!

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 17, 2017 3:30 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Adding a list of users to a user collection

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn't 
work.  So, I tried UPN, and that didn't work.  Then I tried putting the domain 
name in there with sam, and that didn't work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn't give very good 
examples.  Is that the way I should be looki

RE: [mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

I completely agree, and yet, it is happening.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stuart Watret
Sent: Tuesday, November 21, 2017 9:30 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Adding a list of users to a user collection

Now that makes no sense!


On 21 Nov 2017, at 15:25, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:

Ok, so it worked…. To a point.  For some reason, the user collection does not 
have the same number of members that the AD security group has.  It’s over 100 
users short.  Any idea why that would happen?  User discovery is at the root of 
the domain, so should be getting all users, no matter where they are.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 6:36 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Adding a list of users to a user collection

Agreed… this is by far my preferred method for populating collections. You get 
the added flexibility of being able to reuse the groups  for other purposes too 
such as GPO’s that are related to the software being deployed. At the law firm 
I left recently we used 1E shopping to populate the groups in a self-service 
manner which was super easy



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, November 20, 2017 1:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Adding a list of users to a user collection

Awesome, thanks.  I’ll try that out.
Sent from my iPhone

On Nov 20, 2017, at 3:08 AM, Stuart Watret 
mailto:stu...@offshore-it.co.uk>> wrote:
Have to agree, our deployments are based on collections based on ad group 
member ships.
It’s great.

Stuart

On 18 Nov 2017, at 03:51, Nemec, Dale 
mailto:dale.ne...@tektronix.com>> wrote:

We use an Active Directory security group, and SCCM pulls the users from the 
security group.

This is the Collection query we use:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.UserGroupName = 
"\\>"

Of course, you need to also discover the OU that the security group is in under 
your site Discovery settings.

Then use powershell to populate the AD security group.

This gives us the flexibility to allow our help desk technicians to add/remove 
users from the AD security group without having to grant access to the SCCM 
Admin Console.

We have different AD security groups for each user deployment.

Good luck!

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

From: 
listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>[mailto:listsad...@lists.myitforum.com]
 On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 17, 2017 3:30 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Adding a list of users to a user collection

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn’t 
work.  So, I tried UPN, and that didn’t work.  Then I tried putting the domain 
name in there with sam, and that didn’t work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn’t give very good 
examples.  Is that the way I should be looking, though?  And if so, what format 
does the user name need to be in to work?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


Please be advised that this email may contain confidential information. If you 
are not the intended recipient, please notify us by email by replying to the 
sender and delete this message. The sender disclaims that the content of this 
email constitutes an offer to enter into, or the acceptance of, any agreement; 
provided that the foregoing does not invalidate the binding effect of any 
digital or other electronic reproduction of a manual signature that is included 
in any attachment.

RE: [mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

Ok, so it worked To a point.  For some reason, the user collection does not 
have the same number of members that the AD security group has.  It's over 100 
users short.  Any idea why that would happen?  User discovery is at the root of 
the domain, so should be getting all users, no matter where they are.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Marcum
Sent: Tuesday, November 21, 2017 6:36 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Adding a list of users to a user collection

Agreed... this is by far my preferred method for populating collections. You 
get the added flexibility of being able to reuse the groups  for other purposes 
too such as GPO's that are related to the software being deployed. At the law 
firm I left recently we used 1E shopping to populate the groups in a 
self-service manner which was super easy



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Monday, November 20, 2017 1:58 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] Adding a list of users to a user collection

Awesome, thanks.  I'll try that out.
Sent from my iPhone

On Nov 20, 2017, at 3:08 AM, Stuart Watret 
mailto:stu...@offshore-it.co.uk>> wrote:
Have to agree, our deployments are based on collections based on ad group 
member ships.
It's great.

Stuart

On 18 Nov 2017, at 03:51, Nemec, Dale 
mailto:dale.ne...@tektronix.com>> wrote:

We use an Active Directory security group, and SCCM pulls the users from the 
security group.

This is the Collection query we use:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.UserGroupName = 
"\\>"

Of course, you need to also discover the OU that the security group is in under 
your site Discovery settings.

Then use powershell to populate the AD security group.

This gives us the flexibility to allow our help desk technicians to add/remove 
users from the AD security group without having to grant access to the SCCM 
Admin Console.

We have different AD security groups for each user deployment.

Good luck!

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 17, 2017 3:30 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Adding a list of users to a user collection

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn't 
work.  So, I tried UPN, and that didn't work.  Then I tried putting the domain 
name in there with sam, and that didn't work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn't give very good 
examples.  Is that the way I should be looking, though?  And if so, what format 
does the user name need to be in to work?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


Please be advised that this email may contain confidential information. If you 
are not the intended recipient, please notify us by email by replying to the 
sender and delete this message. The sender disclaims that the content of this 
email constitutes an offer to enter into, or the acceptance of, any agreement; 
provided that the foregoing does not invalidate the binding effect of any 
digital or other electronic reproduction of a manual signature that is included 
in any attachment.

Re: [mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

Awesome, thanks.  I’ll try that out.

Sent from my iPhone

On Nov 20, 2017, at 3:08 AM, Stuart Watret 
mailto:stu...@offshore-it.co.uk>> wrote:

Have to agree, our deployments are based on collections based on ad group 
member ships.
It’s great.

Stuart

On 18 Nov 2017, at 03:51, Nemec, Dale 
mailto:dale.ne...@tektronix.com>> wrote:

We use an Active Directory security group, and SCCM pulls the users from the 
security group.

This is the Collection query we use:

select 
SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
 from SMS_R_User where SMS_R_User.UserGroupName = 
"\\"

Of course, you need to also discover the OU that the security group is in under 
your site Discovery settings.

Then use powershell to populate the AD security group.

This gives us the flexibility to allow our help desk technicians to add/remove 
users from the AD security group without having to grant access to the SCCM 
Admin Console.

We have different AD security groups for each user deployment.

Good luck!

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 17, 2017 3:30 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Adding a list of users to a user collection

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn’t 
work.  So, I tried UPN, and that didn’t work.  Then I tried putting the domain 
name in there with sam, and that didn’t work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn’t give very good 
examples.  Is that the way I should be looking, though?  And if so, what format 
does the user name need to be in to work?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284



Please be advised that this email may contain confidential information. If you 
are not the intended recipient, please notify us by email by replying to the 
sender and delete this message. The sender disclaims that the content of this 
email constitutes an offer to enter into, or the acceptance of, any agreement; 
provided that the foregoing does not invalidate the binding effect of any 
digital or other electronic reproduction of a manual signature that is included 
in any attachment.

[mssms] Adding a list of users to a user collection

[Heaton, Joseph@Wildlife]

I have the Now Micro right-click tools installed, so I thought it was going to 
be as easy as dropping the list of samaccountnames in the box, but that didn't 
work.  So, I tried UPN, and that didn't work.  Then I tried putting the domain 
name in there with sam, and that didn't work.  How can I get a list of 1800 
users into a user collection without doing it manually? I was looking at the CM 
Powershell cmdlets, but the technet cmdlet reference doesn't give very good 
examples.  Is that the way I should be looking, though?  And if so, what format 
does the user name need to be in to work?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] Patching Server 2016

[Heaton, Joseph@Wildlife]

SCCM 1702

I have put into place the Group policy for Server 2016, to prevent it from 
downloading updates from Windows Update.  The policy I'm using:

Configure Automatic Updates - Disabled


I deployed updates to my Dev/Test environment this morning.  All of the 
Server2016 servers are showing Compliant, but they have nothing in the ccmcache 
directory, and I have reboots suppressed for servers anyway.

I'm not seeing any errors in logs, and I've looked at pretty much every log I 
can see that has anything with Update, or WUA in the name.

Does anyone have any tips that I should look at to see what the issue is?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: Maintenance windows - servers

[Heaton, Joseph@Wildlife]

That’s what I figured.  Thanks for the verification/sanity check.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Friday, November 3, 2017 3:30 PM
To: 'mssms@lists.myitforum.com' 
Subject: [mssms] RE: Maintenance windows - servers

You will need separate deployments, that is how we do it. We have our 
deployment collections named after the reboot type, AUTO or MANUAL.

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, November 3, 2017 6:15 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Maintenance windows - servers

I have 4 groups of servers for updates:

Dev/Test
No dependencies
Production Support
Manual reboots

I’m setting up maintenance windows for each, and I’m ok with all of that.  My 
question is how to address the last group, which needs to be rebooted manually. 
 I’m trying to set everything up so that I have one deployment for all servers, 
and the maintenance windows take care of everything, including installing the 
updates for the last group, but not letting that group reboot automatically.  I 
can’t figure out how to allow the install of updates, but to suppress the 
reboot on only that last group, as that checkbox is something that is setup 
during the creation of the deployment.

Any other ideas?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights 
laws and
do not discriminate on the basis of race, color, national origin, age, 
disability or
sex. Humana Inc. and its subsidiaries do not exclude people or treat them 
differently
because of race, color, national origin, age, disability or sex.

English: ATTENTION: If you do not speak English, language assistance services, 
free
of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese)：注意：如果您使用繁體中文，您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèvis 
èd
pou lang ki disponib gratis pou ou. Rele 1‐877‐320‐1235 (TTY: 711).

Polski (Polish): UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej
pomocy językowej. Zadzwoń pod numer 1‐877‐320‐1235 (TTY: 711).

한국어 (Korean): 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로
이용하실 수 있습니다. 1‐877‐320‐1235 (TTY: 711)번으로 전화해 주십시오.

[mssms] Maintenance windows - servers

[Heaton, Joseph@Wildlife]

I have 4 groups of servers for updates:

Dev/Test
No dependencies
Production Support
Manual reboots

I'm setting up maintenance windows for each, and I'm ok with all of that.  My 
question is how to address the last group, which needs to be rebooted manually. 
 I'm trying to set everything up so that I have one deployment for all servers, 
and the maintenance windows take care of everything, including installing the 
updates for the last group, but not letting that group reboot automatically.  I 
can't figure out how to allow the install of updates, but to suppress the 
reboot on only that last group, as that checkbox is something that is setup 
during the creation of the deployment.

Any other ideas?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: SCCM and WS 2016 1709

[Heaton, Joseph@Wildlife]

You have to remember the "versions" of Server.  Normal Server, with the Desktop 
Experience (GUI) is LTSB.  The next version of that is still down the road a 
ways.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Monday, October 30, 2017 10:35 AM
To: 'mssms@lists.myitforum.com' 
Subject: [mssms] SCCM and WS 2016 1709

I might be late to the party but from what I have been reading it looks like WS 
2016 1709 is core only and SCCM is not fully supported??
* Distribution points on this operating system do not support PXE or 
Multicast.
https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-operating-systems-for-site-system-servers#the-server-core-installation-of-windows-server-2016

This is fine for other core installations, but if I use 1709 I'm not going to 
have a choice except core?

Am I missing something here? Have I missed some updated documentation?

Thanks,

Dewayne

RE: [mssms] RE: Patching & Reboot Servers

[Heaton, Joseph@Wildlife]

I have just recently implemented maintenance windows, myself.  I have to 
manually reboot maybe a dozen servers out of 100+ that are getting patched.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Friday, October 27, 2017 10:59 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Patching & Reboot Servers

I haven't seen that to be the case but maybe I'm not the norm?  Really depends 
on your Maintenance Window and it's settings, as well as the settings you 
specify in your Deployments.

On Fri, Oct 27, 2017 at 10:57 AM, Erno, Cynthia M (ITS) 
mailto:cynthia.e...@its.ny.gov>> wrote:

Brian,

We’ve found sccm to be notoriously unreliable on forcing reboots after patching 
as well.
Even when sccm clearly shows a reboot is needed.
I don’t know if your company uses nessus or qualys or a similar product, but a 
simple scan
would show you that your servers are not considered patched, most of the time,
until your servers have rebooted.

Cynthia Erno

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Brian McDonald
Sent: Friday, October 27, 2017 7:39 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Patching & Reboot Servers


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.

Good morning,

We have been working extremely hard getting our patch compliance numbers up. We 
recently, for the first time, hit over 90% compliance for last month.

A question came up recently about scheduling reboots on servers. I decided to 
run a last reboot / uptime report against all servers in the environment. I 
found a good handful of servers that had not removed since August. And several 
servers that has not removed since last month. One suggestion brought the table 
was to schedule an automated refill for the servers to help increase our paths 
one effort.

Management is telling me they see no reason to schedule reboot as long as 
patching work. I am looking to justify this need.

I’d be interested to hear what other folks would suggest would be legitimate 
reasons for scheduled reboots. Basically they are saying SCCM how do you must 
not be working if servers aren’t getting rebooted. I have, for example, found 
some servers don’t receive patches if there are disconnected user logged into 
the server. By bouncing the server, I was able to deploy patches no problem. 
Any other use cases samples to support this would be extremely helpful.

I appreciate any help or suggestions with this.

Thanks!

Brian

Sent from my iPhone

[mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

[Heaton, Joseph@Wildlife]

I don’t like hacking the registry if I don’t absolutely need to.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kelkar, Bhushan
Sent: Friday, October 6, 2017 9:56 AM
To: mssms@lists.myitforum.com; Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org) 

Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

With windows 10 I have tested the following registry working successfully, I 
believe the same should be applicable for server 2016.


Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\WindowsUpdate
DWord
DisableDualScan=1

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWord
DisableDualScan=1



Bhushan Kelkar
Expert Systems Engineer
O: +91.207.107.8404   M: +91.954.524.0543
allscripts.com | @allscripts <https://twitter.com/allscripts>

Allscripts: Building open, connected communities of health


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 10:09 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

Ok, so I uncheck the Defer Feature updates in my Server 2016 template, and set 
that GPO, which will take care of both Win10 and Server 2016?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Gerry Hampson
Sent: Friday, October 6, 2017 9:21 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

You need this GPO. For now it’s the only thing that solves this problem.

[cid:image001.jpg@01D33E92.9E1797D0]

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: 06 October 2017 17:04
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

Ah, yeah sounds like the dual scan issue then.

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 11:37 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

Yes.  All are Active, with Last Activity timestamps of today.  All have recent 
hardware and software scans.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: Friday, October 6, 2017 8:07 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

If they are not getting their update deployments, are you sure they are getting 
policy? Do they show a recent last active time? Has a software update scan 
completed successfully? Are they processing hardware inventory?

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 10:46 AM
To: Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>;
 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Crosspost: Server 2016 servers not patching through SCCM

I have SCCM 1702, with hotfix installed.  I’ve installed SCCM client on the 
Server 2016 boxes.

RE: [mssms] Moving away from image installation?

[Heaton, Joseph@Wildlife]

Autopilot only really works if you have 2-way sync with Azure, though, right?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Rod Trent
Sent: Friday, October 6, 2017 9:25 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Moving away from image installation?

Have you gotten a look at AutoPilot?

http://myitforum.com/myitforumwp/2017/10/05/deploying-windows-10-an-overview-of-whats-new-and-future-direction/

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Friday, October 6, 2017 12:12 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Moving away from image installation?

I am of the opinion that the days of imaging computers is dying.



Sensitivity: Internal use only
From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of 
janus...@gmx.net
Sent: Thursday, October 5, 2017 8:55 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Moving away from image installation?

The users don't care about the how, as long as they have the apps, data and 
settings... (at least most of them)

Since it's a refresh, USMT takes care of the data and the apps install anyway 
(again) during OSD (implemented like that).
And with Office, you may need LPs (Win 10 also) and then you need patches, it 
just takes forever.


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Tim Amico
Sent: Donnerstag, 5. Oktober 2017 14:09
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Moving away from image installation?

Using a mix of both here with an upgrade to Office 2016 during the in-place. 
Our end users and help desk love the in-place upgrade from 7 to 10, basically 
an hour or two later and it's running Win 10 just the way they had it setup 
when it was Win 7.

If it applies, you might be shaving time with a wipe and load on the upgrade of 
Office, but what about user data and additional applications they may have 
installed after the wipe and load.

Can't comment on the HP\Dell out of box, still wipe and load new systems.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of 
janus...@gmx.net
Sent: Thursday, October 5, 2017 7:38 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Moving away from image installation?

MS is promoting a lot to upgrade existing systems, like Win 7 to 10 or even 
using out of the box installations from vendors, instead of wipe and load.

e.g. us: We are on Win 7 with Office 2013 and a few language packs in the image.
Upgrading to Win 10, now with office 2016 and the same language packs would 
take much longer than just wiping it with the image having all that already 
(and patched).

But how many of you are actually using upgrade, like from win7, or even using 
HP/Dell out of the box systems and just integrate them?

-Roland

[mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

[Heaton, Joseph@Wildlife]

Ok, so I uncheck the Defer Feature updates in my Server 2016 template, and set 
that GPO, which will take care of both Win10 and Server 2016?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Gerry Hampson
Sent: Friday, October 6, 2017 9:21 AM
To: mssms@lists.myitforum.com; Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org) 

Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

You need this GPO. For now it’s the only thing that solves this problem.

[cid:image002.jpg@01D33E86.F8C842D0]

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: 06 October 2017 17:04
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

Ah, yeah sounds like the dual scan issue then.

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 11:37 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

Yes.  All are Active, with Last Activity timestamps of today.  All have recent 
hardware and software scans.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: Friday, October 6, 2017 8:07 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; Patch 
Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>
Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

If they are not getting their update deployments, are you sure they are getting 
policy? Do they show a recent last active time? Has a software update scan 
completed successfully? Are they processing hardware inventory?

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 10:46 AM
To: Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>;
 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Crosspost: Server 2016 servers not patching through SCCM

I have SCCM 1702, with hotfix installed.  I’ve installed SCCM client on the 
Server 2016 boxes.  I’ve added them to collections, maintenance windows, etc.  
When I deploy updates, they never even get downloaded into ccmcache on the 
servers.  Instead, the servers are reaching out to Microsoft to see what 
updates are available.  I know I need to set the GPO setting to disable for 
Configure Automatic Updates.  Is there anything else I need to do to make 
Server 2016, and I’m assuming, Win10, to update through SCCM, vs. downloading 
from Microsoft and ignoring SCCM update deployment?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights 
laws and
do not discriminate on the basis of race, color, national origin, age, 
disability or
sex. Humana Inc. and its subsidiaries do not exclude people or treat them 
differently
because of race, color, national origin, age, disability or sex.

English: ATTENTION: If you do not speak English, language assistance services, 
free
of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese)：注意：如果您使用繁體中文，您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèv

[mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

[Heaton, Joseph@Wildlife]

Thanks Jimmy,

This just might be part of the problem.  I looked on one of the 2016 servers 
that has nothing in the ccmcache, and under Advanced options, the Defer Feature 
updates box is checked.

I have no GPOs for windows updates at this point, so I'm good on that front, 
just stuff that may or may not have been setup in the template that we use.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jimmy Martin
Sent: Friday, October 6, 2017 8:01 AM
To: 'mssms@lists.myitforum.com' ; 'Patch Management 
Mailing List (patchmanagem...@listserv.patchmanagement.org)' 

Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

??? 
https://finalthought.org/2017/06/21/why-are-my-windows-10-devices-updating-via-microsoft-update-and-not-sccm/



Jimmy Martin
(901) 227-8209
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 9:46 AM
To: Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>;
 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Crosspost: Server 2016 servers not patching through SCCM

<<<<< EXTERNAL EMAIL ALERT >>>>>
I have SCCM 1702, with hotfix installed.  I've installed SCCM client on the 
Server 2016 boxes.  I've added them to collections, maintenance windows, etc.  
When I deploy updates, they never even get downloaded into ccmcache on the 
servers.  Instead, the servers are reaching out to Microsoft to see what 
updates are available.  I know I need to set the GPO setting to disable for 
Configure Automatic Updates.  Is there anything else I need to do to make 
Server 2016, and I'm assuming, Win10, to update through SCCM, vs. downloading 
from Microsoft and ignoring SCCM update deployment?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


This message and any files transmitted with it may contain legally privileged, 
confidential, or proprietary information. If you are not the intended recipient 
of this message, you are not permitted to use, copy, or forward it, in whole or 
in part without the express consent of the sender. Please notify the sender of 
the error by reply email, disregard the foregoing messages, and delete it 
immediately.


P Please consider the environment before printing this email...

[mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

[Heaton, Joseph@Wildlife]

Yes.  All are Active, with Last Activity timestamps of today.  All have recent 
hardware and software scans.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Friday, October 6, 2017 8:07 AM
To: mssms@lists.myitforum.com; Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org) 

Subject: [mssms] RE: Crosspost: Server 2016 servers not patching through SCCM

If they are not getting their update deployments, are you sure they are getting 
policy? Do they show a recent last active time? Has a software update scan 
completed successfully? Are they processing hardware inventory?

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, October 6, 2017 10:46 AM
To: Patch Management Mailing List 
(patchmanagem...@listserv.patchmanagement.org<mailto:patchmanagem...@listserv.patchmanagement.org>)
 
mailto:patchmanagem...@listserv.patchmanagement.org>>;
 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Crosspost: Server 2016 servers not patching through SCCM

I have SCCM 1702, with hotfix installed.  I’ve installed SCCM client on the 
Server 2016 boxes.  I’ve added them to collections, maintenance windows, etc.  
When I deploy updates, they never even get downloaded into ccmcache on the 
servers.  Instead, the servers are reaching out to Microsoft to see what 
updates are available.  I know I need to set the GPO setting to disable for 
Configure Automatic Updates.  Is there anything else I need to do to make 
Server 2016, and I’m assuming, Win10, to update through SCCM, vs. downloading 
from Microsoft and ignoring SCCM update deployment?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights 
laws and
do not discriminate on the basis of race, color, national origin, age, 
disability or
sex. Humana Inc. and its subsidiaries do not exclude people or treat them 
differently
because of race, color, national origin, age, disability or sex.

English: ATTENTION: If you do not speak English, language assistance services, 
free
of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese)：注意：如果您使用繁體中文，您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèvis 
èd
pou lang ki disponib gratis pou ou. Rele 1‐877‐320‐1235 (TTY: 711).

Polski (Polish): UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej
pomocy językowej. Zadzwoń pod numer 1‐877‐320‐1235 (TTY: 711).

한국어 (Korean): 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로
이용하실 수 있습니다. 1‐877‐320‐1235 (TTY: 711)번으로 전화해 주십시오.

[mssms] Crosspost: Server 2016 servers not patching through SCCM

[Heaton, Joseph@Wildlife]

I have SCCM 1702, with hotfix installed.  I've installed SCCM client on the 
Server 2016 boxes.  I've added them to collections, maintenance windows, etc.  
When I deploy updates, they never even get downloaded into ccmcache on the 
servers.  Instead, the servers are reaching out to Microsoft to see what 
updates are available.  I know I need to set the GPO setting to disable for 
Configure Automatic Updates.  Is there anything else I need to do to make 
Server 2016, and I'm assuming, Win10, to update through SCCM, vs. downloading 
from Microsoft and ignoring SCCM update deployment?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  916-323-1284

[mssms] RE: client upgrade reboots

[Heaton, Joseph@Wildlife]

Only thing I've seen recently is that upgrading from 1702 to 1702 hotfix 
cleared out the ccmcache, and caused machines to re-download, and reapply 
packages from ages ago.  Pain in the behind.

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Wednesday, September 13, 2017 8:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: client upgrade reboots

We did, and it was always .NET. 

Daniel Ratliff

-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Stuart Watret
Sent: Wednesday, September 13, 2017 6:23 AM
To: mssms@lists.myitforum.com
Subject: [mssms] client upgrade reboots

Upgraded some clients from 1610 to 1706, a few have rebooted - its not a .Net 
install, and I’m struggling to find the reason why.

Anyone else seen a similar thing?

Stuart

The information transmitted is intended only for the person or entity to which 
it is addressed and may contain CONFIDENTIAL material.  If you receive this 
material/information in error, please contact the sender and delete or destroy 
the material/information.

Humana Inc. and its subsidiaries comply with applicable Federal civil rights 
laws and do not discriminate on the basis of race, color, national origin, age, 
disability or sex. Humana Inc. and its subsidiaries do not exclude people or 
treat them differently because of race, color, national origin, age, disability 
or sex.

English: ATTENTION: If you do not speak English, language assistance services, 
free of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711).

Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios 
gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711).

繁體中文(Chinese)：注意：如果您使用繁體中文，您可以免費獲得語言援助
服務。請致電 1‐877‐320‐1235 (TTY: 711)。

Kreyòl Ayisyen (Haitian Creole): ATANSION: Si w pale Kreyòl Ayisyen, gen sèvis 
èd pou lang ki disponib gratis pou ou. Rele 1‐877‐320‐1235 (TTY: 711).

Polski (Polish): UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej 
pomocy językowej. Zadzwoń pod numer 1‐877‐320‐1235 (TTY: 711).

한국어 (Korean): 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로 이용하실 수 있습니다. 1‐877‐320‐1235 
(TTY: 711)번으로 전화해 주십시오.

[mssms] RE: Auto reboots of servers during patching

[Heaton, Joseph@Wildlife]

But isn't that reboot based on client settings, like for desktops?  Or does the 
maintenance window override that?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Mote, Todd
Sent: Wednesday, June 14, 2017 11:47 AM
To: 'mssms@lists.myitforum.com' 
Subject: [mssms] RE: Auto reboots of servers during patching

Nothing to add to anything.  If the server has a maintenance window and an 
updates deployment advertised to it (and is correctly configured to allow the 
reboot during MWs) then when it's done installing updates it will just reboot.  
I patch 500 servers this way every month.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, June 14, 2017 12:43 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Auto reboots of servers during patching

How do you handle this?  In past questions, I've related that currently I 
manually reboot all of my 200+ servers.  We're revamping how we're doing the 
server patching, with a couple of maintenance windows, and auto reboots.  
However, I'm not sure the "best" method of doing the reboot.  Do I just change 
the client settings to reboot in a couple of minutes, or do I add a shutdown -r 
to the package, or some other method?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] Auto reboots of servers during patching

[Heaton, Joseph@Wildlife]

How do you handle this?  In past questions, I've related that currently I 
manually reboot all of my 200+ servers.  We're revamping how we're doing the 
server patching, with a couple of maintenance windows, and auto reboots.  
However, I'm not sure the "best" method of doing the reboot.  Do I just change 
the client settings to reboot in a couple of minutes, or do I add a shutdown -r 
to the package, or some other method?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: O365 in Enterprise

[Heaton, Joseph@Wildlife]

We're using on-prem Office, only because we didn't purchase web licenses for 
Visio/Project.  If you use the O365 Office, you can't use on-prem 
Visio/Project, the licenses can't co-exist.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael K Murray
Sent: Tuesday, June 06, 2017 2:03 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: O365 in Enterprise

Wow, that's a lot of issues. Anyone else have experiences to share?

Thanks!

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Thelen, Chris
Sent: Monday, June 5, 2017 6:10 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: O365 in Enterprise

We've been deploying Office 365 for a few years now.  I would like to say that 
it's been great but I'd be lying through my teeth.  This year when we started 
looking at upgrading our Office 365 2013 users to 365 2016, we were seriously 
talking about going back to Office 2016 perpetual licenses cause 365 has been 
that fun...we did decide to stay with 365 though.

Here are the things I have learned and would highly recommend.  Hope this helps 
you out, feel free to ask questions.


  1.  Research the different ways of updating and decide on the best option for 
your environment
 *   We have been updating 365 2016 using SCCM software updates and it has 
gone very poorly and seeing a lot of failures or client issues.
 *   If you do decide to use SCCM for updates, I would not recommend to 
deploy Office updates with Windows updates.  Keep them separate, it has worked 
better for us and we have seen less failures.
 *   Used a DFS share for 2013 and it worked really good.  We're 
considering going back to this instead of SCCM.
  2.  Look at all the options in the xml file  
https://support.office.com/en-us/article/Configuration-options-for-the-Office-2016-Deployment-Tool-d3879f0d-766c-469c-9440-0a9a2a905ca8
 *   Make sure to specify a version in your xml file.  If you don't, then 
it will automatically upgrade during the install regardless of the "Updates" 
setting in the xml file.
 *   If you deal with multiple languages, specify en-us as the first 
language, whatever language is in the xml file first will be the default 
language of Office.
 *   Display level "none" will be a silent install and you will not see any 
error messages.  If you choose Full, then the users/IT will see the normal 
progress bar and full error messages.  I switched all of our SCCM packages to 
full display level and it has helped a ton.
 *   If you have multiple users logging onto one computer that need to use 
Office, then for that single computer, you need to add the 
SharedComputerLicensing property to the xml file.
 *   There are xml file builders out there that make it easier, but you 
still have to understand what's in the xml file and what it does 
https://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html
 *   If you would like an example of what I use, let me know and I'll share 
it.
  3.  Add-ons as Eric stated
 *   Make sure all your supported add-ons work with 2016.  We also use SAP 
Analysis for Office and EPM Excel add-ins, but we are on newer versions of 
these that do support Office 365 2016.
  4.  If you need to contact MS supportOffice 365 support only supports 
activation and installation.  Anything else, you need to open a MS software 
assurance ticket.
  5.  When troubleshooting issues in Office, there is an quick repair and an 
online repair.  Quick scans and replaces corrupted files.  Online repair is a 
overwrite of all files.  We usually use the Office scrub script to uninstall 
Office completely and then reinstall as doing this fixes most issues faster 
than doing repairs.
  6.  Get used to keeping it up to date like Windows 10.  Only 2 builds in 
deferred channel will be supported.  Like Windows 10, we have to constantly 
test new builds of Office 365.




From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Eric Morrison
Sent: Sunday, June 4, 2017 11:11 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: O365 in Enterprise

We've just started looking to deploy it, but we're going to use ConfigMgr. We 
have to continue using 2013 for folks that are using SAP EPM Excel add-ins 
because the version of SAP we're on doesn't support Office 2016 yet. Everyone 
else will get O365 ProPlus CB.

If you have ConfigMgr, it will make your life a lot easier managing and 
deploying O365. If not, you still can manage it with GPOs and custom answer 
files.

Eric



From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Michael K Murray
Sent: Friday, June 2, 2017 6:24 PM
To: mssms@lists.myitforum.com

[mssms] RE: Cert for SCUP

[Heaton, Joseph@Wildlife]

For this purpose, it wouldn't.  It's more of an attempt to make all our certs 
be consistent.  Not my ask.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Saturday, June 03, 2017 9:41 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Cert for SCUP

OK. Why would it need a SAN though? Also, friendly names are not part of the 
certs, they are simply identifiers assigned on the system itself.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, June 2, 2017 5:37 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP

Actually, I did create the cert through our PKI.  I don't remember doing any 
reghack to make it work.  That said, I agree with your statements.  However, 
our department has been looking at all certs, and the fact that this one didn't 
have SAN, or a friendly name, raised some concern.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Thursday, June 01, 2017 11:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Cert for SCUP

This isn't really SCUP specific in any way. It's just a code-signing cert used 
to sign the updates because WSUS requires this.

I'm assuming that you're using the self-signed certificate created by WSUS, 
correct? If so, then to my knowledge no, there is no way to change this as this 
is deprecated functionality to begin with - that's why you had to make the 
registry change to get it to work in the first place. You need to create your 
own code-signing cert from your own PKI or purchase one to customize it in any 
way.

Ultimately though, why does it matter? The cert is simply used to sign updates. 
Do you really care that this isn't as secure as using a SHA2 cert? You're not 
transmitting state secrets, you're transmitting already public information.

And finally, the thumbprint hash algorithm is in no way a security issue. The 
thumbprint is simply a unique id calculated by hashing the cert itself. It 
provides no actual functionality other than to identify the cert.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, May 31, 2017 11:10 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Cert for SCUP

I've gone through the install and config for SCUP, and I have it working, but I 
just noticed that the cert thumbprint is done with sha1.  The cert itself is 
sha256.  Is it difficult to replace this?  Is it possible for the SCUP cert to 
use sha2 for thumbprint?  Also, is it possible to add other details to the 
cert, such as SAN, friendly name, etc?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] RE: Cert for SCUP

[Heaton, Joseph@Wildlife]

Actually, I did create the cert through our PKI.  I don't remember doing any 
reghack to make it work.  That said, I agree with your statements.  However, 
our department has been looking at all certs, and the fact that this one didn't 
have SAN, or a friendly name, raised some concern.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Thursday, June 01, 2017 11:01 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Cert for SCUP

This isn't really SCUP specific in any way. It's just a code-signing cert used 
to sign the updates because WSUS requires this.

I'm assuming that you're using the self-signed certificate created by WSUS, 
correct? If so, then to my knowledge no, there is no way to change this as this 
is deprecated functionality to begin with - that's why you had to make the 
registry change to get it to work in the first place. You need to create your 
own code-signing cert from your own PKI or purchase one to customize it in any 
way.

Ultimately though, why does it matter? The cert is simply used to sign updates. 
Do you really care that this isn't as secure as using a SHA2 cert? You're not 
transmitting state secrets, you're transmitting already public information.

And finally, the thumbprint hash algorithm is in no way a security issue. The 
thumbprint is simply a unique id calculated by hashing the cert itself. It 
provides no actual functionality other than to identify the cert.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, May 31, 2017 11:10 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Cert for SCUP

I've gone through the install and config for SCUP, and I have it working, but I 
just noticed that the cert thumbprint is done with sha1.  The cert itself is 
sha256.  Is it difficult to replace this?  Is it possible for the SCUP cert to 
use sha2 for thumbprint?  Also, is it possible to add other details to the 
cert, such as SAN, friendly name, etc?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] Cert for SCUP

[Heaton, Joseph@Wildlife]

I've gone through the install and config for SCUP, and I have it working, but I 
just noticed that the cert thumbprint is done with sha1.  The cert itself is 
sha256.  Is it difficult to replace this?  Is it possible for the SCUP cert to 
use sha2 for thumbprint?  Also, is it possible to add other details to the 
cert, such as SAN, friendly name, etc?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: Deployment question

[Heaton, Joseph@Wildlife]

So, I looked at that pre-deploy option, but it looks like it is more for 
applications being deployed to user collections.  This is being deployed to 
computer collections.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Thelen, Chris
Sent: Thursday, May 18, 2017 10:55 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Deployment question

When you create the deployment you can select to make it required and then you 
will have the option to Pre-Deploy software to the users primary device.  As 
long as those computers are the primary device of the users then they will 
download the software before the scheduled installation date.

Another way would be to create a package with the Office source files with a 
program that only does a file copy to a folder on C drive then deploy that to 
those users as a required deployment.  But you would have to change the Office 
install to launch a command, batch file, or some other script that would launch 
the install from the local source.

Also wanted to say this since you have some users in similar environments to 
ours.  Make sure you specify the Office version in the install xml file, as the 
Office install does check the Microsoft Office servers for a newer version, and 
will download and install that newer version if a version is not specified.  
This cratered some of our users last year even with updates disabled in the xml 
file.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, May 18, 2017 11:51 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Deployment question

CM 1610

I am rolling out Office 2016 to my clients, in waves.  We have some users that 
are pretty isolated, geographically, and network-wise.  Some of them are using 
LTE wireless, some are using cable connections, etc.  So, very limited 
bandwidth.  I'd like to find a way that I can deploy the package, and have it 
preseed over the weekend, and wait to do the actual install on Monday.  Is that 
possible?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] What does this error really mean?

[Heaton, Joseph@Wildlife]

[cid:image001.png@01D2CFB6.7C6F9290]

15 machines showing up in the Error section, but the error description is 
Success?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: Expired updates being removed from SCCM

[Heaton, Joseph@Wildlife]

Yep, that's what I figured out, as well.  I changed my setting to 4 months.  
The March updates are back in, after a sync, and I'm starting to get some stats 
on it.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Thelen, Chris
Sent: Wednesday, May 17, 2017 7:43 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Expired updates being removed from SCCM

In Administration > Sites > Click on your site then go to Configure Site 
Components.  Click the Superscedence Rules tab.

Our settings are the same as yours, I can't run reporting for the March update 
as SCCM has expired the update.  In the Superscedence Rules tab, mine is set to 
wait 1 month before a superseded update is expired and the box to run the WSUS 
cleanup wizard is checked.  When the cleanup wizard is ran, it will decline 
expired updates.

Set the months to wait to a higher number to give you reporting history farther 
in the past, but it will also be more updates showing up in the console.


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, May 17, 2017 9:44 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Expired updates being removed from SCCM

I'm assuming that I set something up incorrectly, but I'm noticing that all 
Expired updates are just gone from SCCM.  The problem with this, is that I 
can't give historical stats on previous months' update deployments.  And, I 
can't go searching for compliance on the March, Security Monthly Quality 
Rollup...

Anyone know off-hand what setting I messed up?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] RE: Patching Status Query

[Heaton, Joseph@Wildlife]

Most of the status reports will give you more information.  I know that when 
I'm just looking at the stats section, I get all the error codes, etc for 
failures.

The Unknowns are either active or inactive machines, and it will tell you how 
many of each.  It just means those machines haven't checked in for the 
deployment.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miriyala, Vasu
Sent: Wednesday, May 17, 2017 10:03 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Patching Status Query

Hi Champs,

Thru inbuilt report I get first two columns that gives status of a KB Article. 
Is there a way, SQL query or so to get info description of state as well as I 
imagined in yellow

State

Count

Description

Installed

565

Successful

Unknown

10

I know this is difficult to get/decode

Required

5



Failed to Installed

12

Access denied , Install failure, perquisites not met

Pending Reboot

7



General Failure

3

0xx2343524

Failed to Download Content

15

DP, Boundary, content not avail , Hash Mismatc


Thanks, Vasu


This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message or 
any part thereof. If you receive this message in error, please notify the 
sender immediately and delete all copies of this message.

[mssms] Deployment question

[Heaton, Joseph@Wildlife]

CM 1610

I am rolling out Office 2016 to my clients, in waves.  We have some users that 
are pretty isolated, geographically, and network-wise.  Some of them are using 
LTE wireless, some are using cable connections, etc.  So, very limited 
bandwidth.  I'd like to find a way that I can deploy the package, and have it 
preseed over the weekend, and wait to do the actual install on Monday.  Is that 
possible?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Expired updates being removed from SCCM

[Heaton, Joseph@Wildlife]

I'm assuming that I set something up incorrectly, but I'm noticing that all 
Expired updates are just gone from SCCM.  The problem with this, is that I 
can't give historical stats on previous months' update deployments.  And, I 
can't go searching for compliance on the March, Security Monthly Quality 
Rollup...

Anyone know off-hand what setting I messed up?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] RE: Managing Server 2016

[Heaton, Joseph@Wildlife]

That’s what I haven’t done.  I don’t think we have any GPOs in place to do this 
for any of our Operating Systems.  Thank you, I’ll look into that.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Thursday, May 11, 2017 11:58 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Managing Server 2016

Are you disabling Windows Updates via GPO on your Servers?  Many do it on 
Clients but often overlook Servers

On Thu, May 11, 2017 at 10:21 AM, Mote, Todd 
mailto:mo...@austin.utexas.edu>> wrote:
Sure it’s not going out to MS via GPO or something?  I’ve got several 2016’s in 
our 1606 and they’re working as expected.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, May 11, 2017 10:02 AM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Managing Server 2016

I’m running CM 1610 at the moment, planning the upgrade to 1702.

We are starting to build a few test servers using Server 2016.  I have the SCCM 
client installed, Defender is managed, etc  However, I have a couple of these 
2016 boxes, that when I log in, I get the notification “You need some updates.  
Select this message to install.”When I go look at what updates are there, 
it’s the May updates.  I haven’t deployed the May updates to any of my servers. 
 Am I missing something with Server 2016?  Have I forgotten some setting in CM?


Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] RE: Updates question

[Heaton, Joseph@Wildlife]

That would possibly require a second reboot, though, correct?  Do you reboot 
PCs based on maintenance windows, or do you do the reboots during the day?  We 
do it during the day, with a 24-hour notification box.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melin, Cordell (BAC/LAC)
Sent: Thursday, May 11, 2017 7:48 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Updates question

Yes, we have been using this since it was included in 1606 and noticed that the 
compliance rate improved.

We have not had any negative impact.

Cordell Melin

Conseiller technique, Direction générale de l'Innovation et du Dirigeant 
principal de l'information
Bibliothèque et Archives 
Canada<http://www.bac-lac.gc.ca/fra/Pages/bac-web.aspx> / Gouvernement du Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tél. : 613-355-3290

Technical Advisor, Innovation and Chief Information Officer Branch
Library and Archives Canada<http://www.bac-lac.gc.ca/eng/Pages/lac-web.aspx> / 
Government of Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tel: 613-355-3290


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: May 11, 2017 10:32 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Updates question

I'm putting the deployment together this morning for pushing May's updates to 
my test group.  Normally, this is something I pretty much do in my sleep, since 
I've done it so many times.  But this morning, I'm looking at the user 
experience screen, and I notice the last item on the page:  The Software 
updates deployment re-evaluation.  How many of you have that box checked, so 
the machine goes back and checks right away for any other updates?  I don't 
currently, but I'm curious if I should.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] Managing Server 2016

[Heaton, Joseph@Wildlife]

I'm running CM 1610 at the moment, planning the upgrade to 1702.

We are starting to build a few test servers using Server 2016.  I have the SCCM 
client installed, Defender is managed, etc  However, I have a couple of these 
2016 boxes, that when I log in, I get the notification "You need some updates.  
Select this message to install."When I go look at what updates are there, 
it's the May updates.  I haven't deployed the May updates to any of my servers. 
 Am I missing something with Server 2016?  Have I forgotten some setting in CM?


Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Updates question

[Heaton, Joseph@Wildlife]

I'm putting the deployment together this morning for pushing May's updates to 
my test group.  Normally, this is something I pretty much do in my sleep, since 
I've done it so many times.  But this morning, I'm looking at the user 
experience screen, and I notice the last item on the page:  The Software 
updates deployment re-evaluation.  How many of you have that box checked, so 
the machine goes back and checks right away for any other updates?  I don't 
currently, but I'm curious if I should.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] User affinity auditing

[Heaton, Joseph@Wildlife]

Does anyone know if you can use the advanced auditing settings for user 
affinity?  Back when I initially set this up (SCCM2007), I used the basic 
auditing.  I have other things going on that work much better with advanced 
auditing, but I'm getting inconsistent audit policies being applied, and I 
think it's because I'm using both types of auditing, in different GPOs.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: CM updates

[Heaton, Joseph@Wildlife]

That's what I was hoping you meant.  Did you apply the hotfixes first, or no?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Thursday, April 13, 2017 5:08 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: CM updates

Sorry about that, I meant it in this way...

"I have not heard or seen any issues with 1702 yet. "

I agree! It's ("actually quite the opposite").

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, April 12, 2017 9:21 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: CM updates

Daniel, you're confusing me.

Chris said I can upgrade to 1702 no problem, and that twitter post sounds like 
it was a good thing that that person upgraded to 1702, but you said "Actually 
quite the opposite"

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: Wednesday, April 12, 2017 10:23 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: CM updates

Actually quite the opposite.

"My team resolved 3892 issues in 
#SCCM<https://twitter.com/hashtag/SCCM?src=hash> 1702. That's a lot of reasons 
to upgrade."

https://twitter.com/djammmer/status/851628192670416896

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Chris Barnes
Sent: Wednesday, April 12, 2017 1:01 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: CM updates

You can go straight to 1702.

I have not heard or seen any issues with 1702 yet.


Chris Barnes
MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure
Coretek Services | Microsoft Delivery Manager
* 248.767.4415 cell
* chris.bar...@coretekservices.com
*   http://www.coretekservices.com<http://www.coretekservices.com/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, April 12, 2017 12:19 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] CM updates

I'm currently at 1610.  I see 2 hotfixes available, and now, 1702.  Do I need 
to install the hotfixes to update to 1702?  Anyone seeing major issues with 
1702?  We don't have Win 10 in the environment yet, Helpdesk is working on the 
image, though.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=aKRYWfEySDSkVaPCTekViK37qkG5ior04RPiv%2Bdc1pc%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=aKRYWfEySDSkVaPCTekViK37qkG5ior04RPiv%2Bdc1pc%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=RYzWiianxQMUEDA%2B0xbgaO2VUJtFZ3I1QdrJ%2BNBEOdI%3D&reserved=0>



The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.



The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

RE: [mssms] Patching advice - Cross Post from Patching list

[Heaton, Joseph@Wildlife]

Thanks, Sherry.  I have been thinking of Service Windows, but your explanation 
of how to set them makes a lot of sense.  The vast majority (99%+) of my 
servers are up to date, so I don’t think I’ll run into the 35 updates issue, 
but it’s definitely food for thought.  Doing it this way, will the normal 
deployment states reports show me where I am, and servers that have failed due 
to running out of time?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Thursday, April 13, 2017 8:23 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Patching advice - Cross Post from Patching list

You asked "how are you doing this"... and I don't have those types of timing 
demands on the servers I support for patching.  But here's my 
likely-not-well-thought-out vague ideas on how I'd think about doing it.  (and 
pilot, and test, and test and test...)

Create multiple collections.  Those collections have one role and one role 
only.  Their only job is to let you define the Service Windows for when 
software updates can occur.  Add all the SQL boxes into the Collection called 
"SUM Service Window 7pm to 11pm"  Add all the Web server boxes to "SUM Service 
Window 11pm to 3am".  Add all the you go last boxes to "SUM Service Window 3am 
to 7am".  Now, set Service windows on those collection, for Software Updates 
only, with daily, those times.  You NEVER deploy anything to those collections, 
and you don't use them for anything else, ever.  Remember, their 1 and only job 
is to define Service Windows.

Deploy patches as (almost) normal; but do remember to have the deployment honor 
service windows, and you DO want to allow servers to reboot, post-patching.

What should happen is the boxes in the 7-11pm service window might get the 
patch deployment policy at 3pm... but it'll wait until 7pm to start installing 
(it'll download prior, but won't actually patch til 7pm-ish); and reboot when 
done.  the boxes in the 11pm-3am service window will wait until 11pm for their 
turn to install, and reboot.  and 3am-7am will wait til 3am.  But ... by the 
morning everyone should be done.  Unless, of course (and this could happen, but 
unlikely)... let's say there is a box which deserves 35 patches.  and estimated 
time to install EACH one is 30 minutes.  the CM client itself does the math, 
and says to itself... huh.  35 * 30 minutes ... I'll never patch in the 4hr 
window. "skipping until I can" (and of course, it'll never have a service 
window big enough).  So you'd just have to keep that in mind if you encounter 
failures like that.  In those cases, if it's just 1 or 2 boxes the easy cheat 
is just interactively login, and trigger the install from Software Center of 
the updates.  A human triggering an install overrides a service window.  You 
could also of course on the deployment check the box for "override service 
window"--but then that defeats your whole plan of timed deployments.  but it is 
an option.  Not a GREAT option because of your stated goals... but it is an 
option.



On Wed, Apr 12, 2017 at 4:21 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
I’m using SCCM for patching.  Currently, I push server updates in two phases.  
First, all my Dev/Test machines.  The next week, everything else.  I have 215 
Production servers that get patched.  There are SQL boxes, Web boxes, 
Application boxes, File servers, DCs, etc.  My process now:


1)   Deploy updates at 3:00PM.

2)  Go home, and at 7:00PM, run a Pending restart report.

3)  Open up vCenter, and start opening up consoles, 14 at a time, and 
kicking off reboots.

4)  Rinse, repeat until I’m through.

Some of the considerations I have:


1)  Reboot order is important.  SQL has to reboot before web or apps, web 
has to reboot before apps, that kind of thing.

My ask of you guys:

I’m tired of doing everything manually.  I’d love to hear how other folks are 
doing this patching thing, and how I can improve my life.  Please, don’t pull 
punches, either.


Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
<http://saveourwater.com/>
SaveOurWater.com · Drought.CA.gov<http://saveourwater.com/>
 <http://saveourwater.com/>



-- <http://saveourwater.com/>
Thank you,

Sherry Kissinger<http://saveourwater.com/>

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org<http://saveourwater.com/>
 <http://saveourwater.com/>

[mssms] RE: CM updates

[Heaton, Joseph@Wildlife]

Daniel, you're confusing me.

Chris said I can upgrade to 1702 no problem, and that twitter post sounds like 
it was a good thing that that person upgraded to 1702, but you said "Actually 
quite the opposite"

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Wednesday, April 12, 2017 10:23 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: CM updates

Actually quite the opposite.

"My team resolved 3892 issues in 
#SCCM<https://twitter.com/hashtag/SCCM?src=hash> 1702. That's a lot of reasons 
to upgrade."

https://twitter.com/djammmer/status/851628192670416896

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Chris Barnes
Sent: Wednesday, April 12, 2017 1:01 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: CM updates

You can go straight to 1702.

I have not heard or seen any issues with 1702 yet.


Chris Barnes
MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure
Coretek Services | Microsoft Delivery Manager
* 248.767.4415 cell
* chris.bar...@coretekservices.com
*   http://www.coretekservices.com<http://www.coretekservices.com/>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, April 12, 2017 12:19 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] CM updates

I'm currently at 1610.  I see 2 hotfixes available, and now, 1702.  Do I need 
to install the hotfixes to update to 1702?  Anyone seeing major issues with 
1702?  We don't have Win 10 in the environment yet, Helpdesk is working on the 
image, though.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=aKRYWfEySDSkVaPCTekViK37qkG5ior04RPiv%2Bdc1pc%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=aKRYWfEySDSkVaPCTekViK37qkG5ior04RPiv%2Bdc1pc%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=02%7C01%7Cchris.barnes%40coretekservices.com%7C5557f17ed2b846dd7e4b08d481c4660f%7Cf7f66891a582418d999ecb1be5354253%7C1%7C0%7C636276127911005056&sdata=RYzWiianxQMUEDA%2B0xbgaO2VUJtFZ3I1QdrJ%2BNBEOdI%3D&reserved=0>



The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

[mssms] Patching advice - Cross Post from Patching list

[Heaton, Joseph@Wildlife]

I'm using SCCM for patching.  Currently, I push server updates in two phases.  
First, all my Dev/Test machines.  The next week, everything else.  I have 215 
Production servers that get patched.  There are SQL boxes, Web boxes, 
Application boxes, File servers, DCs, etc.  My process now:


1)   Deploy updates at 3:00PM.

2)  Go home, and at 7:00PM, run a Pending restart report.

3)  Open up vCenter, and start opening up consoles, 14 at a time, and 
kicking off reboots.

4)  Rinse, repeat until I'm through.

Some of the considerations I have:


1)  Reboot order is important.  SQL has to reboot before web or apps, web 
has to reboot before apps, that kind of thing.

My ask of you guys:

I'm tired of doing everything manually.  I'd love to hear how other folks are 
doing this patching thing, and how I can improve my life.  Please, don't pull 
punches, either.


Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] CM updates

[Heaton, Joseph@Wildlife]

I'm currently at 1610.  I see 2 hotfixes available, and now, 1702.  Do I need 
to install the hotfixes to update to 1702?  Anyone seeing major issues with 
1702?  We don't have Win 10 in the environment yet, Helpdesk is working on the 
image, though.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] SCAP extensions

[Heaton, Joseph@Wildlife]

Anyone using the SCAP extensions?  My security guy approached me yesterday 
about implementing them in my Config Mgr, and I had never heard of them before. 
 Would like to hear from anyone out there with experience with it.  Easy to 
setup?  Is it useful?  Does it work with the latest versions of Config Mgr?  It 
lists 2012 versions, but not current versions.

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: Query for users with multiple primary devices

[Heaton, Joseph@Wildlife]

Why not just use the canned report?  You can set the number of relationships to 
greater than 1.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Beardsley, James
Sent: Thursday, March 30, 2017 10:02 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Query for users with multiple primary devices

Anyone have a SQL query that'll show me all users with more than one primary 
device assigned to them through UDA?

Thanks,
James



Confidentiality Notice: This e-mail is intended only for the addressee named 
above. It contains information that is privileged, confidential or otherwise 
protected from use and disclosure. If you are not the intended recipient, you 
are hereby notified that any review, disclosure, copying, or dissemination of 
this transmission, or taking of any action in reliance on its contents, or 
other use is strictly prohibited. If you have received this transmission in 
error, please reply to the sender listed above immediately and permanently 
delete this message from your inbox. Thank you for your cooperation.

RE: [EXTERNAL] [mssms] Database compatibility

[Heaton, Joseph@Wildlife]

Thanks everyone!  I’ll leave the CM_ database at 110, and bump the others up to 
120.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Wednesday, March 22, 2017 7:06 AM
To: mssms@lists.myitforum.com
Subject: Re: [EXTERNAL] [mssms] Database compatibility

To be clear, I meant the db's he mentioned:  ReportServer, the report server 
temp, and the SUSDB
We're on SQL 2016, latest CU.  All our databases for "just about" everything 
are 2016 compat--except the CAS itself (yes, we have a CAS, sadly, with ~400k 
devices, we have to).  After flipping it to sql 2016 everything was great 
except for 1 thing:  For people who go into the console and do NOT have 
security scope to "everything"--in the console, where it would display "just 
the stuff scoped to you", i.e., in Applications; that would take 5+ minutes to 
return results.  If you were full-on admin to everything everywhere, it was 
normal (a few seconds).  As soon as we flipped it to SQL Server 2012 Compat, it 
was back to snappy for people with limited security scopes.

So the CAS database, and the CAS alone is sql 2012 (110); when running SQL 2016.
The SUSdb, the primary sites' databases, the mp replica databases, etc., 
--those are all 2016 compat.

If you happen to be in an environment where everyone in the console is full 
admin, you could have your database for CM (hopefully you don't have a CAS, 
just your 1 primary) with sql 2016 be compat of 2016; and you'd never notice 
this issue.  But if you have RBA and security scopes, you'll want to test that 
scenario if/when you move to sql 2016.

On Wed, Mar 22, 2017 at 8:38 AM, Daniel Ratliff 
mailto:dratl...@humana.com>> wrote:
Can confirm. All our servers are on SQL 2014, with Compat of 120. Our CM 
database is on 110. No issues here.

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sherry Kissinger
Sent: Wednesday, March 22, 2017 9:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [EXTERNAL] [mssms] Database compatibility

Sure; change them to the highest compatibility.  If you encounter issues (we 
didn't) but if you did, it's a quick flip back.

On Tue, Mar 21, 2017 at 5:11 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, my CM_ database ended up being correct.  The ones that are not, are 
ReportServer, the report server temp, and the SUSDB.  Worth changing?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Jason Wallace
Sent: Tuesday, March 21, 2017 12:55 PM

To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [EXTERNAL] [mssms] Database compatibility


Yes, I have been there and getting this right is like night and day.  From a 
user experience perspective you'll see really horrible Software Center 
performance


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
mailto:listsad...@lists.myitforum.com>> on 
behalf of Spengler, Jeff 
mailto:jspeng...@idahopower.com>>
Sent: 21 March 2017 19:36
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [EXTERNAL] [mssms] Database compatibility

Take a look at this KB.
https://support.microsoft.com/en-nz/help/3196320/sql-query-times-out-or-console-slow-on-certain-configuration-manager-database-queries
SQL query times out or console slow on certain 
...<https://support.microsoft.com/en-nz/help/3196320/sql-query-times-out-or-console-slow-on-certain-configuration-manager-database-queries>
support.microsoft.com<http://support.microsoft.com>
Describes a scenario in you may experience slow Configuration Manager console 
performance or unusual SQL query timeouts for certain Configuration Manager 
database ...




SQL Server version

Supported compatibility level values

Recommended compatibility level for ConfigMgr

SQL Server 2016

130, 120, 110, 100

130

SQL Server 2014

120, 110, 100

110





From: "listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>" 
mailto:listsad...@lists.myitforum.com>> on 
behalf of "Heaton, Joseph@Wildlife" 
mailto:joseph.hea...@wildlife.ca.gov>>
Reply-To: "mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>" 
mailto:mssms@lists.myitforum.com>>
Date: Tuesday, March 21, 2017 at 12:14 PM
To: "'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>'" 
mailto:mssms@lists.myitforum.com>>
Subject: [EXTERNAL] [mssms] Database compatibility

CM1610
SQL 2014

My SQL Dba just came ove

[mssms] RE: Rights needed for image creation

[Heaton, Joseph@Wildlife]

Well, there are a number of errors when he tries the process.  Most of which 
are error retrieving object CollectionID = blah.  None of the collections that 
show up there are ones that they have rights for.

There are some other errors:

[6, PID:7464][03/22/2017 13:20:02] 
:System.Management.ManagementException\r\nNot found \r\n   at 
System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus 
errorCode)

[6, PID:7464][03/22/2017 13:20:02] 
:Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe
 SMS Provider reported an error.\r\n   at 
Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.GetInstance(String
 objectPath)
   at 
Microsoft.ConfigurationManagement.AdminConsole.CollectionMenuActions.ClearDeploymentLocks.IsClearDeploymentLocksEnabled(Object
 sender, ScopeNode scopeNode, ActionDescription action, ResultObjectBase 
resultObj)\r\nConfigMgr Error Object: instance of SMS_ExtendedStatus

[14, PID:7464][03/22/2017 13:20:17] 
:System.Management.ManagementException\r\nNot found \r\n   at 
System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus 
errorCode)


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Schultz, Michael A
Sent: Tuesday, March 21, 2017 4:31 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Rights needed for image creation

What does the adminui log on their machine say the error is?

Michael Schultz
Client Systems Engineering, SCCM Engineer
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, March 21, 2017 3:15 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Rights needed for image creation

I'm trying to setup a couple of guys from our Helpdesk to be able to create our 
Win10 image within SCCM (1610).  I've given them the Operating Systems 
Deployment Manager role, put the All Systems collection, and Default Security 
Scope.  They're telling me that when they try to manually import a computer, 
they get to the point of selecting a collection to put it in, and the 
collection window is blank, no collections listed.  Can anyone help me get them 
where they need to be without giving them Full Admin?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=2iGIyUgytQNY3h3Dn0FFpkr%2FVmJDdvz3erXczmdyrCA%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=2iGIyUgytQNY3h3Dn0FFpkr%2FVmJDdvz3erXczmdyrCA%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=nLNfkwYMPI9Khx5I%2FWGTmOjRfi3dLPVOwnhwsuJyKNA%3D&reserved=0>




This message is intended for the sole use of the addressee, and may contain 
information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the addressee you are hereby notified that you 
may not use, copy, disclose, or distribute to anyone the message or any 
information contained in the message. If you have received this message in 
error, please immediately advise the sender by reply email and delete this 
message.

RE: [mssms] RE: Rights needed for image creation

[Heaton, Joseph@Wildlife]

No.  There is another collection that they want to import into.  That 
collection is also in their scopes and collections.  The reason I added All 
Systems was a blog post I found online.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Tuesday, March 21, 2017 5:46 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Rights needed for image creation

Are you trying to have them import computers into the 'All Systems' Collection? 
 If so, can't do itit's a built-in Collection that you can't mess with, 
for good reason.

On Tue, Mar 21, 2017 at 6:31 PM, Schultz, Michael A 
mailto:michael.schu...@providence.org>> wrote:
What does the adminui log on their machine say the error is?

Michael Schultz
Client Systems Engineering, SCCM Engineer
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, March 21, 2017 3:15 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Rights needed for image creation

I’m trying to setup a couple of guys from our Helpdesk to be able to create our 
Win10 image within SCCM (1610).  I’ve given them the Operating Systems 
Deployment Manager role, put the All Systems collection, and Default Security 
Scope.  They’re telling me that when they try to manually import a computer, 
they get to the point of selecting a collection to put it in, and the 
collection window is blank, no collections listed.  Can anyone help me get them 
where they need to be without giving them Full Admin?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=2iGIyUgytQNY3h3Dn0FFpkr%2FVmJDdvz3erXczmdyrCA%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=2iGIyUgytQNY3h3Dn0FFpkr%2FVmJDdvz3erXczmdyrCA%3D&reserved=0>
 · 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Cf12c5e5e2fbf4cdd7b2b08d470b0bd90%7C2e3190869a2646a3865f615bed576786%7C1&sdata=nLNfkwYMPI9Khx5I%2FWGTmOjRfi3dLPVOwnhwsuJyKNA%3D&reserved=0>




This message is intended for the sole use of the addressee, and may contain 
information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the addressee you are hereby notified that you 
may not use, copy, disclose, or distribute to anyone the message or any 
information contained in the message. If you have received this message in 
error, please immediately advise the sender by reply email and delete this 
message.

RE: [EXTERNAL] [mssms] Database compatibility

[Heaton, Joseph@Wildlife]

So, my CM_ database ended up being correct.  The ones that are not, are 
ReportServer, the report server temp, and the SUSDB.  Worth changing?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Wallace
Sent: Tuesday, March 21, 2017 12:55 PM
To: mssms@lists.myitforum.com
Subject: Re: [EXTERNAL] [mssms] Database compatibility


Yes, I have been there and getting this right is like night and day.  From a 
user experience perspective you'll see really horrible Software Center 
performance


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
mailto:listsad...@lists.myitforum.com>> on 
behalf of Spengler, Jeff 
mailto:jspeng...@idahopower.com>>
Sent: 21 March 2017 19:36
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [EXTERNAL] [mssms] Database compatibility

Take a look at this KB.
https://support.microsoft.com/en-nz/help/3196320/sql-query-times-out-or-console-slow-on-certain-configuration-manager-database-queries
SQL query times out or console slow on certain 
...<https://support.microsoft.com/en-nz/help/3196320/sql-query-times-out-or-console-slow-on-certain-configuration-manager-database-queries>
support.microsoft.com
Describes a scenario in you may experience slow Configuration Manager console 
performance or unusual SQL query timeouts for certain Configuration Manager 
database ...




SQL Server version

Supported compatibility level values

Recommended compatibility level for ConfigMgr

SQL Server 2016

130, 120, 110, 100

130

SQL Server 2014

120, 110, 100

110





From: "listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>" 
mailto:listsad...@lists.myitforum.com>> on 
behalf of "Heaton, Joseph@Wildlife" 
mailto:joseph.hea...@wildlife.ca.gov>>
Reply-To: "mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>" 
mailto:mssms@lists.myitforum.com>>
Date: Tuesday, March 21, 2017 at 12:14 PM
To: "'mssms@lists.myitforum.com'" 
mailto:mssms@lists.myitforum.com>>
Subject: [EXTERNAL] [mssms] Database compatibility

CM1610
SQL 2014

My SQL Dba just came over and mentioned that my SCCM databases are in 2008 
compatibility mode.  She asked if it would be ok to change that, and I said I 
don't know.  WSUS is installed on this server as well.  Are there any 
requirements for compatibility mode?  Also, I was told that named pipes are 
disabled.  Any reason/need to have it disabled?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[aveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>
California Drought Portal<http://drought.ca.gov/>
drought.ca.gov
California State Climatologist: Do Not Count on El Niño to End Drought. August 
13, 2015 - State Climatologist Michael Anderson said today that California 
cannot ...


Home - Save Our Water<http://saveourwater.com/>
saveourwater.com
Conservation Lifestyle Good Habits. Californians have made great strides in 
their commitment to water conservation and are embracing wise water use as a 
daily habit.





-






This transmission may contain information that is privileged, confidential 
and/or exempt from disclosure under

applicable law.  If you are not the intended recipient, you are hereby notified 
that any disclosure, copying,

distribution, or use of the information contained herein (including any 
reliance thereon) is STRICTLY PROHIBITED. If

you received this transmission in error, please immediately contact the sender 
and destroy the material in its

entirety, whether in electronic or hard copy format.  Thank you.



-

[mssms] Rights needed for image creation

[Heaton, Joseph@Wildlife]

I'm trying to setup a couple of guys from our Helpdesk to be able to create our 
Win10 image within SCCM (1610).  I've given them the Operating Systems 
Deployment Manager role, put the All Systems collection, and Default Security 
Scope.  They're telling me that when they try to manually import a computer, 
they get to the point of selecting a collection to put it in, and the 
collection window is blank, no collections listed.  Can anyone help me get them 
where they need to be without giving them Full Admin?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Database compatibility

[Heaton, Joseph@Wildlife]

CM1610
SQL 2014

My SQL Dba just came over and mentioned that my SCCM databases are in 2008 
compatibility mode.  She asked if it would be ok to change that, and I said I 
don't know.  WSUS is installed on this server as well.  Are there any 
requirements for compatibility mode?  Also, I was told that named pipes are 
disabled.  Any reason/need to have it disabled?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Console issue

[Heaton, Joseph@Wildlife]

CM 1610 - no hotfix

So, my console is suddenly showing GMT for things like deployment times, etc.  
Anyone else seeing that?  Know how to change it back?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] windows 10 OS Build Licence question

[Heaton, Joseph@Wildlife]

Why do you say that MAK keys make things more difficult?  We just bake them 
into the installs, and everything just works.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Friday, March 10, 2017 11:43 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] windows 10 OS Build Licence question

Why would you not want to use a KMS? MAK keys make everything more difficult. 
Settings up a KMS is drop-dead easy and requires no additional infrastructure 
as most folks use existing DCs, DNS servers, or other existing infrastructure 
systems. Not using a KMS makes no sense honestly in almost all scenarios.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Friday, March 10, 2017 10:51 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] windows 10 OS Build Licence question

Yes, that’ll do it.  Usually when you get a MAK key it will tell you how many 
activations you have.  You may have to keep an eye on it in case you run over 
that number.

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kevin Ray
Sent: Friday, March 10, 2017 11:40 AM
To: mssms mailto:mssms@lists.myitforum.com>>
Subject: Re: [mssms] windows 10 OS Build Licence question

thanks for the information

 if i don't want to setup a KMS server, If my sales people provide the MAK 
Key(from Microsoft they will get it i hope)..

in below Task sequence step at "Applying windows Settings" do i need to 
provide.. .. So this 1 single MAK will get activated to all my machines (yes 
based my company purchased license count )  or  any other things do i need to 
do if i don't want to go for KMS?

[Inline image 1]

On Fri, Mar 10, 2017 at 10:51 AM, Kent, Mark 
mailto:ken...@buffalostate.edu>> wrote:
If you have a volume version it will prefer to get a license from a KMS server 
that you will have to setup in our environment.  Once you have the KMS server 
setup, there is nothing you need to do.  The OS will seek out a KMS server for 
activation and when found, will do everything automagically.

If you do not have a volume license, or do not feel like setting up a KMS 
server, you will need MAK key.  With that you can either manually put in the 
MAK key or use it during a task sequence deployment, if you are using SCCM or 
MDT for deployment, you can populate the key field and it will install the key 
during deployment.

Mark Kent
Manager, Client Systems Engineering
Technology Support Services
Resources for Information, Technology and Education (RITE)
http://rite.buffalostate.edu

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Kevin Ray
Sent: Friday, March 10, 2017 10:36 AM
To: mssms mailto:mssms@lists.myitforum.com>>
Subject: [mssms] windows 10 OS Build Licence question

Hi All,

I'm new to License part. I have done is Got the Windows ISO from My sales team 
who has downloaded from Microsoft website...

Then i have taken the ISO and did the customization and deployed for pre-pilot 
machines..

showing as Windows is not activated...

So How it will get activated .. I would like to know more about on this.. is 
their any thing I need to machine in image preparation ? or we should some  
server in my environment to activate it ?

[mssms] RE: Microsoft Server patching training

[Heaton, Joseph@Wildlife]

No.  I have a Server 2008 collection, and a Server 2012 collection.  The 
reboots are literally manually done by me after work.  I sit at my desk at 
home, starting at 7:00pm, with the status report from the deployment, and 
reboot.  We're 99% virtualized, so I'll open up the console view for 14 servers 
at a time (because that's how many I can fit on my monitor and still have the 
actual view) and have VMWare do the recycle.  When the console is back to the 
login screen, I close that window, open up the next and continue.  It typically 
takes me about 3-4 hours to reboot the 200+ servers.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of HELMS, DAVID C
Sent: Friday, February 24, 2017 8:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Microsoft Server patching training

Do you have your sql boxes, web, and app servers in different collections and 
then rebooted at different times?  How many collections do you have that you 
have to manually setup like this each month?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, February 24, 2017 10:21 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Microsoft Server patching training

***This is an EXTERNAL email. Please do not click on a link or open any 
attachments unless you are confident it is from a trusted source.


What exactly are you asking?

Server patching is pretty straight-forward.  Have a test collection, apply the 
patches there first, if everything goes well, deploy to your production 
environment.  We suppress the reboots here, and I do reboots manually, SQL 
boxes first, then web, then apps, etc.  We've historically had issues with apps 
not reconnecting to their databases if we don't reboot in order.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Phil Hanly
Sent: Wednesday, February 22, 2017 5:21 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] Microsoft Server patching training

Hello,
What was/in the best training you found for Microsoft Server patching training?

Using SCCM (Current Branch) ~

Thank you,
PhilH

[mssms] RE: Microsoft Server patching training

[Heaton, Joseph@Wildlife]

What exactly are you asking?

Server patching is pretty straight-forward.  Have a test collection, apply the 
patches there first, if everything goes well, deploy to your production 
environment.  We suppress the reboots here, and I do reboots manually, SQL 
boxes first, then web, then apps, etc.  We've historically had issues with apps 
not reconnecting to their databases if we don't reboot in order.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Phil Hanly
Sent: Wednesday, February 22, 2017 5:21 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Microsoft Server patching training

Hello,
What was/in the best training you found for Microsoft Server patching training?

Using SCCM (Current Branch) ~

Thank you,
PhilH

[mssms] clients offline

[Heaton, Joseph@Wildlife]

What exactly is SCCM using to determine that it needs to give a client the 
Offline icon?  All of my secondary servers, except one, are showing Offline.  I 
have tons of client PCs showing Offline.  Some of these are legitimately turned 
off, or at least, off the network.  But not my secondary servers.  And not a 
lot of the client PCs.  I can ping them, I can remote control them.  Anyone 
know?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] Windows 10 & SCEP

[Heaton, Joseph@Wildlife]

Mine definitely show an Antimalware version in my SCCM console.  Are you using 
SCCM CB?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Friday, January 27, 2017 1:03 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Windows 10 & SCEP

Hello Everyone,

Just starting to pilot SCEP in our environment and we have a handful of Windows 
10 clients.  I understand that you do not deploy the SCEP client to them, that 
it just flips the management switch on Windows Defender as they leverage the 
same engine.

I have done this but I do not see in the console that it lists an 'Antimalware 
Version.'  When I look at a machine I see Windows Defender in the bottom 
stating it is protected but when I look at properties within there I do not see 
the 'Antimalware Policy' listed.

Am I missing something?  They are in my test collection along with Windows 8.1 
and Windows 7 clients.  I deployed SCEP to them, have the client setting for 
Endpoint Protection set to 'Manage' and I have a custom Antimalware Policy 
deployed to it.

Thanks!

[mssms] RE: SCEP right-click scan with

[Heaton, Joseph@Wildlife]

Does the change to Defender apply to Win 7 as well, or just Win10?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Wendell Hutchison
Sent: Tuesday, January 24, 2017 10:17 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: SCEP right-click scan with

SCCM 1610

I recall Defender is now the front-end tool for SCEP. I right-click a file on 
my  machine and get "Scan with Windows Defender..." as an option.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 24, 2017 10:27 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] SCEP right-click scan with

SCCM 1606

A user noticed a few days ago that the option to right-click a file and choose 
Scan with System Center Endpoint Protection, is not available anymore.  I see 
the same result on my own machine.  I looked through the Antimalware policy, 
and can't find a setting for this.  Am I missing something?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

RE: [mssms] RE: SCEP right-click scan with

[Heaton, Joseph@Wildlife]

Added Updates.  This morning I come in and the SUG is Invalid, and has no 
members.  So, I manual deployment of the .409 update didn’t work (the test 
machines show up as Compliant, but are still .407) and I changed the ADR a 
little too late, apparently.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 11:26 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: SCEP right-click scan with

You want to also use the 'Updates' Classification.  You're just doing 
Definition Updates.

On Wed, Jan 25, 2017 at 12:26 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, my ADR for SCEP is setup for:

Date Released or Revised Last 1 day

Product “Forefront Endpoint Protection 2010”

Superseded No

Update Classification “Definition Updates”


I don’t see the client update in the SUG.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 9:24 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: SCEP right-click scan with

You should see Definition Updates and Client Updates in your SUG for SCEP.

4.10, 4.7, 4.5, 4.3, etc

4.10.209 came down to machines today for me.  Requires a restart.

On Wed, Jan 25, 2017 at 11:02 AM, the codepoets 
mailto:thecodepo...@gmail.com>> wrote:
We saw this this morning as well. It's unlikely that you have had 4.10.209.0 
deployed since October. What you probably had was 4.10.207.0 deployed. From 
what I can tell, Microsoft revised 4.10.207.0 to 4.10.209.0 yesterday, instead 
of putting a "new" update out.

I have a question out to the patchmanagement list about this behavior, but can 
ask it here too. Is a revision expected behavior now? And did I miss some 
information about this change?

-Erik

On Wed, Jan 25, 2017 at 6:39 AM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, I did a manual SUP sync, and the below update showed up.  I downloaded, and 
deployed to 3 test machines.  This morning, deployment status shows 2 of my 
machines are compliant.  However, the folder in ccmcache on those machines are 
empty, and the version is still 4.10.207.  Why are they showing as compliant?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Brian Huneycutt
Sent: Tuesday, January 24, 2017 11:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

We actually just shipped the fix for this as a revision to the 4.10.207 release 
on Microsoft Update. The new version is now 4.10.209.
If you have an existing .207 deployment, you can download the revised content 
after your next SUP sync, or just create a new deployment for .209.
KB article
https://support.microsoft.com/help/3209361


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, January 24, 2017 1:24 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

Correct. Client notification only works on collections or devices from within 
the view of a collection’s membership and not in the devices node. I think this 
is technically a bug and not by design but it’s been that way since client 
notification was introduced with 2012 SP1.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melin, Cordell (BAC/LAC)
Sent: Tuesday, January 24, 2017 12:00 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

I am running n1610, but you only get the Endpoint Protection right click if 
doing it to a client in a collection, not directly from under the Devices node.

[cid:image001.png@01D2779F.E02AC350]

Cordell Melin

Conseiller technique, Direction générale de l'Innovation et du Dirigeant 
principal de l'information
Bibliothèque et Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Ffra%2FPages%2Fbac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=EFuOCUCIx5CcJ8ty1imL19OFT9aSQ8M%2BYNgwILXty08%3D&reserved=0>
 / Gouvernement du Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tél. : 
613-355-3290

Technical Advisor, Innovation and Chief Information Officer Branch
Library and Archives 
Canada<https://na01.s

RE: [mssms] RE: SCEP right-click scan with

[Heaton, Joseph@Wildlife]

Cool, thanks.  We’ll see if the timeframe is broad enough to catch it.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 11:26 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: SCEP right-click scan with

You want to also use the 'Updates' Classification.  You're just doing 
Definition Updates.

On Wed, Jan 25, 2017 at 12:26 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, my ADR for SCEP is setup for:

Date Released or Revised Last 1 day

Product “Forefront Endpoint Protection 2010”

Superseded No

Update Classification “Definition Updates”


I don’t see the client update in the SUG.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 9:24 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: SCEP right-click scan with

You should see Definition Updates and Client Updates in your SUG for SCEP.

4.10, 4.7, 4.5, 4.3, etc

4.10.209 came down to machines today for me.  Requires a restart.

On Wed, Jan 25, 2017 at 11:02 AM, the codepoets 
mailto:thecodepo...@gmail.com>> wrote:
We saw this this morning as well. It's unlikely that you have had 4.10.209.0 
deployed since October. What you probably had was 4.10.207.0 deployed. From 
what I can tell, Microsoft revised 4.10.207.0 to 4.10.209.0 yesterday, instead 
of putting a "new" update out.

I have a question out to the patchmanagement list about this behavior, but can 
ask it here too. Is a revision expected behavior now? And did I miss some 
information about this change?

-Erik

On Wed, Jan 25, 2017 at 6:39 AM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, I did a manual SUP sync, and the below update showed up.  I downloaded, and 
deployed to 3 test machines.  This morning, deployment status shows 2 of my 
machines are compliant.  However, the folder in ccmcache on those machines are 
empty, and the version is still 4.10.207.  Why are they showing as compliant?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Brian Huneycutt
Sent: Tuesday, January 24, 2017 11:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

We actually just shipped the fix for this as a revision to the 4.10.207 release 
on Microsoft Update. The new version is now 4.10.209.
If you have an existing .207 deployment, you can download the revised content 
after your next SUP sync, or just create a new deployment for .209.
KB article
https://support.microsoft.com/help/3209361


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, January 24, 2017 1:24 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

Correct. Client notification only works on collections or devices from within 
the view of a collection’s membership and not in the devices node. I think this 
is technically a bug and not by design but it’s been that way since client 
notification was introduced with 2012 SP1.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melin, Cordell (BAC/LAC)
Sent: Tuesday, January 24, 2017 12:00 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

I am running n1610, but you only get the Endpoint Protection right click if 
doing it to a client in a collection, not directly from under the Devices node.

[cid:image001.png@01D276FF.A815E170]

Cordell Melin

Conseiller technique, Direction générale de l'Innovation et du Dirigeant 
principal de l'information
Bibliothèque et Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Ffra%2FPages%2Fbac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=EFuOCUCIx5CcJ8ty1imL19OFT9aSQ8M%2BYNgwILXty08%3D&reserved=0>
 / Gouvernement du Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tél. : 
613-355-3290

Technical Advisor, Innovation and Chief Information Officer Branch
Library and Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Feng%2FPages%2Flac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f

RE: [mssms] RE: SCEP right-click scan with

[Heaton, Joseph@Wildlife]

So, my ADR for SCEP is setup for:

Date Released or Revised Last 1 day

Product “Forefront Endpoint Protection 2010”

Superseded No

Update Classification “Definition Updates”


I don’t see the client update in the SUG.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 9:24 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: SCEP right-click scan with

You should see Definition Updates and Client Updates in your SUG for SCEP.

4.10, 4.7, 4.5, 4.3, etc

4.10.209 came down to machines today for me.  Requires a restart.

On Wed, Jan 25, 2017 at 11:02 AM, the codepoets 
mailto:thecodepo...@gmail.com>> wrote:
We saw this this morning as well. It's unlikely that you have had 4.10.209.0 
deployed since October. What you probably had was 4.10.207.0 deployed. From 
what I can tell, Microsoft revised 4.10.207.0 to 4.10.209.0 yesterday, instead 
of putting a "new" update out.

I have a question out to the patchmanagement list about this behavior, but can 
ask it here too. Is a revision expected behavior now? And did I miss some 
information about this change?

-Erik

On Wed, Jan 25, 2017 at 6:39 AM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, I did a manual SUP sync, and the below update showed up.  I downloaded, and 
deployed to 3 test machines.  This morning, deployment status shows 2 of my 
machines are compliant.  However, the folder in ccmcache on those machines are 
empty, and the version is still 4.10.207.  Why are they showing as compliant?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Brian Huneycutt
Sent: Tuesday, January 24, 2017 11:01 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

We actually just shipped the fix for this as a revision to the 4.10.207 release 
on Microsoft Update. The new version is now 4.10.209.
If you have an existing .207 deployment, you can download the revised content 
after your next SUP sync, or just create a new deployment for .209.
KB article
https://support.microsoft.com/help/3209361


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, January 24, 2017 1:24 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

Correct. Client notification only works on collections or devices from within 
the view of a collection’s membership and not in the devices node. I think this 
is technically a bug and not by design but it’s been that way since client 
notification was introduced with 2012 SP1.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melin, Cordell (BAC/LAC)
Sent: Tuesday, January 24, 2017 12:00 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

I am running n1610, but you only get the Endpoint Protection right click if 
doing it to a client in a collection, not directly from under the Devices node.

[cid:image001.png@01D276F5.872CC910]

Cordell Melin

Conseiller technique, Direction générale de l'Innovation et du Dirigeant 
principal de l'information
Bibliothèque et Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Ffra%2FPages%2Fbac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=EFuOCUCIx5CcJ8ty1imL19OFT9aSQ8M%2BYNgwILXty08%3D&reserved=0>
 / Gouvernement du Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tél. : 
613-355-3290

Technical Advisor, Innovation and Chief Information Officer Branch
Library and Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Feng%2FPages%2Flac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=LoGCRsbNewpbSiwZ%2Bm5HbtV3DBaFW86Pkg5lw5ZO3F0%3D&reserved=0>
 / Government of Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tel: 
613-355-3290



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: January 24, 2017 12:27 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] SCEP right-click scan with

SCCM 1606

A user noticed a few days ago that th

RE: [mssms] RE: Intune

[Heaton, Joseph@Wildlife]

John, that’s an interesting comment.  We recently (past few months), migrated 
email to O365, and are looking at implementing other features.  We have ECS 
licenses for everyone, so have access to the whole shooting match.  We had a 
kickoff meeting yesterday to discuss Intune, and the general consensus from 
what I was hearing (I’m not the point on this one) was to do just the 
stand-alone deployment.

Why do you say definite Hybrid if on CM?  (we are, 1606 atm)

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Marcum, John
Sent: Wednesday, January 25, 2017 7:35 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Intune

I’ve done several hybrid deployments and I see no reason that it would be less 
responsive. I wouldn’t do a stand-alone Intune deployment for anyone who is on 
CM current branch.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Wednesday, January 25, 2017 9:18 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: Intune

[External Email]
Ivan, that's what I always thought, too.  Then I heard from a bunch of 
colleagues in other environments just saying that Hybrid wasn't as responsive 
as Intune Web when it came to device wipes and such.  Have you seen that?

On Wed, Jan 25, 2017 at 8:42 AM, Lindenfeld, Ivan 
mailto:ivan.lindenf...@fnf.com>> wrote:
Hybrid.  One pane of glass.  Also we own EMS licenses for other reasons as well 
as Intune.

Have staff trained on SCCM, easy to KT to the Intune stuff.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 24, 2017 4:25 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Intune

For those using Intune, are you using it as stand-alone in the O365 cloud, or 
are you running hybrid with SCCM?  If hybrid, why?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> · 
Drought.CA.gov<http://drought.ca.gov/>


NOTICE: The information contained in this message is proprietary and/or 
confidential and may be privileged. If you are not the intended recipient of 
this communication, you are hereby notified to: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately.






Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.

[mssms] RE: SCEP right-click scan with

[Heaton, Joseph@Wildlife]

So, I did a manual SUP sync, and the below update showed up.  I downloaded, and 
deployed to 3 test machines.  This morning, deployment status shows 2 of my 
machines are compliant.  However, the folder in ccmcache on those machines are 
empty, and the version is still 4.10.207.  Why are they showing as compliant?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian Huneycutt
Sent: Tuesday, January 24, 2017 11:01 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: SCEP right-click scan with

We actually just shipped the fix for this as a revision to the 4.10.207 release 
on Microsoft Update. The new version is now 4.10.209.
If you have an existing .207 deployment, you can download the revised content 
after your next SUP sync, or just create a new deployment for .209.
KB article
https://support.microsoft.com/help/3209361


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, January 24, 2017 1:24 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

Correct. Client notification only works on collections or devices from within 
the view of a collection's membership and not in the devices node. I think this 
is technically a bug and not by design but it's been that way since client 
notification was introduced with 2012 SP1.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melin, Cordell (BAC/LAC)
Sent: Tuesday, January 24, 2017 12:00 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: SCEP right-click scan with

I am running n1610, but you only get the Endpoint Protection right click if 
doing it to a client in a collection, not directly from under the Devices node.

[cid:image001.png@01D276D5.B906ADE0]

Cordell Melin

Conseiller technique, Direction générale de l'Innovation et du Dirigeant 
principal de l'information
Bibliothèque et Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Ffra%2FPages%2Fbac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=EFuOCUCIx5CcJ8ty1imL19OFT9aSQ8M%2BYNgwILXty08%3D&reserved=0>
 / Gouvernement du Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tél. : 613-355-3290

Technical Advisor, Innovation and Chief Information Officer Branch
Library and Archives 
Canada<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bac-lac.gc.ca%2Feng%2FPages%2Flac-web.aspx&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=LoGCRsbNewpbSiwZ%2Bm5HbtV3DBaFW86Pkg5lw5ZO3F0%3D&reserved=0>
 / Government of Canada
cordell.me...@canada.ca<mailto:cordell.me...@canada.ca> / Tel: 613-355-3290



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: January 24, 2017 12:27 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] SCEP right-click scan with

SCCM 1606

A user noticed a few days ago that the option to right-click a file and choose 
Scan with System Center Endpoint Protection, is not available anymore.  I see 
the same result on my own machine.  I looked through the Antimalware policy, 
and can't find a setting for this.  Am I missing something?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=BIjSgsZOU7CKOgk1Q6ZM8YJ%2B16BLa06ssiP6GP4jSVc%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=BIjSgsZOU7CKOgk1Q6ZM8YJ%2B16BLa06ssiP6GP4jSVc%3D&reserved=0>
 · 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=02%7C01%7Cbrianhun%40exchange.microsoft.com%7Ce1bff175c41140ec421c08d444893aae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636208803576259979&sdata=JNA5DVLMv8IqRkIn2uH4Wik4MvIYATqglNbD1pF2V2Y%3D&reserved=0>

[mssms] Intune

[Heaton, Joseph@Wildlife]

For those using Intune, are you using it as stand-alone in the O365 cloud, or 
are you running hybrid with SCCM?  If hybrid, why?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] SCEP right-click scan with

[Heaton, Joseph@Wildlife]

SCCM 1606

A user noticed a few days ago that the option to right-click a file and choose 
Scan with System Center Endpoint Protection, is not available anymore.  I see 
the same result on my own machine.  I looked through the Antimalware policy, 
and can't find a setting for this.  Am I missing something?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] Replacing secondary site servers

[Heaton, Joseph@Wildlife]

And that actually simplifies the process, right?  Just nuke the existing, and 
add the new?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Friday, January 20, 2017 1:26 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Replacing secondary site servers

My opinion, and it's just an opinion... and really has little to do with "can 
you, technically..."

If it were me, and I had a choice, I'd change the site code certainly, and if 
possible, the name of the server as well.  I know sometimes politics or 
processes don't allow that.  But the reasoning is because if I'm looking at 
logs or trying to troubleshoot something... and it's the same sitecode and 
servername showing up in the logs... is it a remnant of the old/possibly failed 
site... or the new site config that's in that log?  I'd have less guesswork on 
t-shooting the NEW site if it were a new servername and sitecode.

On Fri, Jan 20, 2017 at 2:52 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
So, I still have database replication issues.  Other than that, everything 
works fine.  I’m thinking of nuking one of my secondary sites, and 
reinstalling, hoping that will resolve the issue.  If it does for that site, 
I’ll do the other 14.

I know there is a Delete, and Uninstall option.  I’m thinking Uninstall is the 
way to go, so that the files are removed from the secondary side.  Is this 
process as simple as doing the Uninstall, then recreating them?  Can I use the 
same site code and name that way, or do I have to change?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
<http://saveourwater.com/>
SaveOurWater.com · Drought.CA.gov<http://saveourwater.com/>
 <http://saveourwater.com/>



-- <http://saveourwater.com/>
Thank you,

Sherry Kissinger<http://saveourwater.com/>

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org<http://saveourwater.com/>
 <http://saveourwater.com/>

[mssms] Replacing secondary site servers

[Heaton, Joseph@Wildlife]

So, I still have database replication issues.  Other than that, everything 
works fine.  I'm thinking of nuking one of my secondary sites, and 
reinstalling, hoping that will resolve the issue.  If it does for that site, 
I'll do the other 14.

I know there is a Delete, and Uninstall option.  I'm thinking Uninstall is the 
way to go, so that the files are removed from the secondary side.  Is this 
process as simple as doing the Uninstall, then recreating them?  Can I use the 
same site code and name that way, or do I have to change?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] RE: Issue with database replication

[Heaton, Joseph@Wildlife]

Anyone have any ideas?  Still no progress on my side.  And it seems to be a 
really unique issue, as I'm not finding any real info on the internet, either.

From: Heaton, Joseph@Wildlife
Sent: Tuesday, January 17, 2017 11:17 AM
To: 'mssms@lists.myitforum.com' 
Subject: Issue with database replication

SCCM 1606
Server 2012R2
SQL 2012 RTM

Something happened Sunday morning at around 1:00AM.  Suddenly, all of my 
database replication links are broken.  Running the Replication Link Analyzer, 
I get the following error:

Checking connectivity at site "Primary site name" to the SQL Server "Secondary 
site name\CONFIGMGRSEC"

Connection failure detected between "Primary site" and the SQL Server 
"Secondary site\CONFIGMGRSEC".  Check network and firewall settings between 
these computers. Blah, blah.  Connection failure message:  Failed to get SQL 
connection to "Secondary site\CONFIGMGRSEC"

Things I've tried:


1)  Check Windows Firewall settings to make sure nothing changed

2)  Spoke with Network team, to make sure nothing changed on their side

3)  Checked disk space on secondary

4)  Reboot both Primary and Secondary servers.

5)  Verify SQL services running

6)  telnet from primary to secondary on port 1433, to verify that SQL 
traffic isn't being blocked.

7)  Combed through Application and System logs on both ends, finding 
nothing.

8)  From SQL Management Studio on primary, connected to secondary site 
successfully, I can see the CM_ database.

So, I'm not finding any logs that are telling me what the issue is, but I have 
15 secondary sites with broken database replication. (that is all of my 
secondary sites)  I've done some Googling, with no real luck, either.  Any 
tips, advice, etc. that you guys can offer would be greatly appreciated.

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] Issue with database replication

[Heaton, Joseph@Wildlife]

SCCM 1606
Server 2012R2
SQL 2012 RTM

Something happened Sunday morning at around 1:00AM.  Suddenly, all of my 
database replication links are broken.  Running the Replication Link Analyzer, 
I get the following error:

Checking connectivity at site "Primary site name" to the SQL Server "Secondary 
site name\CONFIGMGRSEC"

Connection failure detected between "Primary site" and the SQL Server 
"Secondary site\CONFIGMGRSEC".  Check network and firewall settings between 
these computers. Blah, blah.  Connection failure message:  Failed to get SQL 
connection to "Secondary site\CONFIGMGRSEC"

Things I've tried:


1)  Check Windows Firewall settings to make sure nothing changed

2)  Spoke with Network team, to make sure nothing changed on their side

3)  Checked disk space on secondary

4)  Reboot both Primary and Secondary servers.

5)  Verify SQL services running

6)  telnet from primary to secondary on port 1433, to verify that SQL 
traffic isn't being blocked.

7)  Combed through Application and System logs on both ends, finding 
nothing.

8)  From SQL Management Studio on primary, connected to secondary site 
successfully, I can see the CM_ database.

So, I'm not finding any logs that are telling me what the issue is, but I have 
15 secondary sites with broken database replication. (that is all of my 
secondary sites)  I've done some Googling, with no real luck, either.  Any 
tips, advice, etc. that you guys can offer would be greatly appreciated.

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] RE: Flash Player and SCUP

[Heaton, Joseph@Wildlife]

RESOLVED  Yay!

Yes, I screwed around with the certs the other day.  The newer cert was in both 
places, but the version of Flash I was installing, was published to SCCM with 
the original cert.  Today, I put the original certs back in place, and voila!  
The install worked on my 3 test machines.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 1:00 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Flash Player and SCUP

"I’m pretty sure that the latest version of Flash was synced to SCUP with the 
cert it has now."
so the update in CM is using a newer cert, which you defined in SCUP and signed 
that update with.
on the CLIENT (not CM), is that newer cert in both Trusted Publisher and 
Trusted Root, on that client?  You might want to visually verify that looking 
at the mmc, certificates for the machine.
The Client has to trust the code-signing certificate used to sign that update.  
It also needs to have that regkey about trusting those certs when used with 
Windows Update.
HKLM\Software\Policies\Microsoft\windowsUpdate\AcceptTrustedPublisherCerts, 
regdword=1.  That one is also usually delivered via GPO.

All of those things have to be there, for the client to install an update which 
did not originate from a known trusted source (in Microsoft's world, that's 
Microsoft alone).  If you want a client to trust something else--like something 
you signed in SCUP that  you got from who-knows-where (in this case, Adobe, not 
Microsoft); the whole chain of trust and signing has to be there from beginning 
to end.

On Thu, Jan 12, 2017 at 12:52 PM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
Hmm, actually, I did change the cert just the other day, after downloading in 
SCUP, and pushing over to SCCM.

I’ll delete the updates from SCCM, and try again.  I’m pretty sure that the 
latest version of Flash was synced to SCUP with the cert it has now.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 10:22 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: Flash Player and SCUP

https://support.microsoft.com/en-us/kb/2477936
for cm2007; but might still apply.

Are you SURE you have the certificate you used to sign the update in scup, on 
that client's Trusted Publisher and Trusted Root?  What does it say in 
windowsupdate.log?  Did you add that cert to your GPO so that clients get it 
automatically?  (there's other ways to get a code-signing cert to be trusted by 
your clients; but that's what many people do--whatever cert they used to sign 
their updates, is what they deliver to their cilents via GPO--and that cert has 
to be in both trusted root and trusted publisher)

On Thu, Jan 12, 2017 at 10:09 AM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
Sorry for the confusion.  I used SCUP, and pushed it over to SCCM so it shows 
up under All Software Updates.  I then “downloaded” it there, into a deployment 
package, created a SUG, and I’m working with the SUG, deploying it to my 3 test 
machines.

I think I am making progress, but I’m still not there.  I did the GP changes 
that were pointed out yesterday.  I manually installed Flash Player 23.0.0.185 
on one of my test machines, the NPAPI, and Active X.  I then redeployed the SUG 
this morning, telling it to show in Software Center, so I can follow, and at 
least see if it’s even trying to send the content to my test machine.  Both 
updates showed up, tried to install and failed.  This is the error message:


I did a quick Bing search, and came up empty.  I’m not seeing anything in Event 
Viewer, either.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 5:48 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: Flash Player and SCUP

One thing about your setup, Joseph; that I might be confused on.  You stated 
earlier "packaged up into an updates deployment package,"  Do you mean that you 
downloaded the msi separately, went through a packaging process, and created  
your own, made-it-up-yourself rules in the SCUP console, which just so happened 
to be flashplayer; or did you import the rule from Adobe as a catalog, and 
downloaded the payload from Adobe, via that catalog?

If you created your own package and rules, then we'll have to take a step back 
and look at what your package does, and what you put into the SCUP 
customization for "what means applicable", "what means compliant".

RE: [mssms] RE: Flash Player and SCUP

[Heaton, Joseph@Wildlife]

Hmm, actually, I did change the cert just the other day, after downloading in 
SCUP, and pushing over to SCCM.

I’ll delete the updates from SCCM, and try again.  I’m pretty sure that the 
latest version of Flash was synced to SCUP with the cert it has now.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 10:22 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Flash Player and SCUP

https://support.microsoft.com/en-us/kb/2477936
for cm2007; but might still apply.

Are you SURE you have the certificate you used to sign the update in scup, on 
that client's Trusted Publisher and Trusted Root?  What does it say in 
windowsupdate.log?  Did you add that cert to your GPO so that clients get it 
automatically?  (there's other ways to get a code-signing cert to be trusted by 
your clients; but that's what many people do--whatever cert they used to sign 
their updates, is what they deliver to their cilents via GPO--and that cert has 
to be in both trusted root and trusted publisher)

On Thu, Jan 12, 2017 at 10:09 AM, Heaton, Joseph@Wildlife 
mailto:joseph.hea...@wildlife.ca.gov>> wrote:
Sorry for the confusion.  I used SCUP, and pushed it over to SCCM so it shows 
up under All Software Updates.  I then “downloaded” it there, into a deployment 
package, created a SUG, and I’m working with the SUG, deploying it to my 3 test 
machines.

I think I am making progress, but I’m still not there.  I did the GP changes 
that were pointed out yesterday.  I manually installed Flash Player 23.0.0.185 
on one of my test machines, the NPAPI, and Active X.  I then redeployed the SUG 
this morning, telling it to show in Software Center, so I can follow, and at 
least see if it’s even trying to send the content to my test machine.  Both 
updates showed up, tried to install and failed.  This is the error message:

[cid:image001.png@01D26CC2.010696F0]

I did a quick Bing search, and came up empty.  I’m not seeing anything in Event 
Viewer, either.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 5:48 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] RE: Flash Player and SCUP

One thing about your setup, Joseph; that I might be confused on.  You stated 
earlier "packaged up into an updates deployment package,"  Do you mean that you 
downloaded the msi separately, went through a packaging process, and created  
your own, made-it-up-yourself rules in the SCUP console, which just so happened 
to be flashplayer; or did you import the rule from Adobe as a catalog, and 
downloaded the payload from Adobe, via that catalog?

If you created your own package and rules, then we'll have to take a step back 
and look at what your package does, and what you put into the SCUP 
customization for "what means applicable", "what means compliant".

On Wed, Jan 11, 2017 at 3:55 PM, Brad DeHart 
mailto:br...@khs-net.com>> wrote:
SCUP packages are updates.  You still need a base version deployed before you 
can install an update on top of it.  Depending on your settings, SCCM will take 
a while to discover changes.  For testing, you’ll end up manually running 
detections quite a bit.




Thank you,

Brad DeHart
Kern Health Systems
Senior Network Systems Administrator
Phone: 661-664-5068
Fax: 661-664-5410
br...@khs-net.com<mailto:br...@khs-net.com>
www.kernfamilyhealthcare.com<http://www.kernfamilyhealthcare.com>


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<http://myitforum.com>] On Behalf Of 
Heaton, Joseph@Wildlife

Sent: Wednesday, January 11, 2017 10:59 AM

To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Flash Player and SCUP

I did not, so I did enable that setting.  I then created a new deployment in 
SCCM for this.  Now, one machine is already showing as Compliant, with no 
folder in CCMCache, and no Flash Player installed.  This machine did have Flash 
Player installed yesterday, 23.0.0.207.  The package I’m testing with is 
deploying 24.0.0.186.  During testing yesterday, I did uninstall 23.0.0.207 
from the one test machine that is currently showing as Compliant.

This brings up a question of expected behavior of deploying this through 
SCUP/SCCM.  If a machine does NOT have Flash Player installed, will this 
deployment install it?  Or does it require Flash Player to be installed in 
order for the deployment to install the new version?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsadmin@lists<mailto:listsadmin@lists>.myitforum.com<http://myitforum.com>]
 On Behalf O

RE: [mssms] RE: Flash Player and SCUP

[Heaton, Joseph@Wildlife]

Sorry for the confusion.  I used SCUP, and pushed it over to SCCM so it shows 
up under All Software Updates.  I then “downloaded” it there, into a deployment 
package, created a SUG, and I’m working with the SUG, deploying it to my 3 test 
machines.

I think I am making progress, but I’m still not there.  I did the GP changes 
that were pointed out yesterday.  I manually installed Flash Player 23.0.0.185 
on one of my test machines, the NPAPI, and Active X.  I then redeployed the SUG 
this morning, telling it to show in Software Center, so I can follow, and at 
least see if it’s even trying to send the content to my test machine.  Both 
updates showed up, tried to install and failed.  This is the error message:

[cid:image001.png@01D26CAA.E08E0690]

I did a quick Bing search, and came up empty.  I’m not seeing anything in Event 
Viewer, either.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Thursday, January 12, 2017 5:48 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Flash Player and SCUP

One thing about your setup, Joseph; that I might be confused on.  You stated 
earlier "packaged up into an updates deployment package,"  Do you mean that you 
downloaded the msi separately, went through a packaging process, and created  
your own, made-it-up-yourself rules in the SCUP console, which just so happened 
to be flashplayer; or did you import the rule from Adobe as a catalog, and 
downloaded the payload from Adobe, via that catalog?

If you created your own package and rules, then we'll have to take a step back 
and look at what your package does, and what you put into the SCUP 
customization for "what means applicable", "what means compliant".

On Wed, Jan 11, 2017 at 3:55 PM, Brad DeHart 
mailto:br...@khs-net.com>> wrote:
SCUP packages are updates.  You still need a base version deployed before you 
can install an update on top of it.  Depending on your settings, SCCM will take 
a while to discover changes.  For testing, you’ll end up manually running 
detections quite a bit.




Thank you,

Brad DeHart
Kern Health Systems
Senior Network Systems Administrator
Phone: 661-664-5068
Fax: 661-664-5410
br...@khs-net.com<mailto:br...@khs-net.com>
www.kernfamilyhealthcare.com<http://www.kernfamilyhealthcare.com>
<http://www.kernfamilyhealthcare.com>


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Wednesday, January 11, 2017 10:59 AM

To: mssms@lists.myitforum.com
Subject: [mssms] RE: Flash Player and SCUP

I did not, so I did enable that setting.  I then created a new deployment in 
SCCM for this.  Now, one machine is already showing as Compliant, with no 
folder in CCMCache, and no Flash Player installed.  This machine did have Flash 
Player installed yesterday, 23.0.0.207.  The package I’m testing with is 
deploying 24.0.0.186.  During testing yesterday, I did uninstall 23.0.0.207 
from the one test machine that is currently showing as Compliant.

This brings up a question of expected behavior of deploying this through 
SCUP/SCCM.  If a machine does NOT have Flash Player installed, will this 
deployment install it?  Or does it require Flash Player to be installed in 
order for the deployment to install the new version?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Duncan McAlynn
Sent: Tuesday, January 10, 2017 6:24 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Flash Player and SCUP

Do you have the GPO enabled to accept signed content from an intranet server?

Enable allowance of signed updates.
a) From the tree on the left inside the Group Policy Management Editordialog, 
expand
to Computer Configuration > Policies > Administrative Templates... > Windows
Components > Windows Update.
b) From the main pane, double-click Allow signed updates from an intranet 
Microsoft update
service location.
Note: This option may be called Allow signed content from an intranet Microsoft 
update
service location on different operating older supported operating systems.
c) Select Enabled and click OK.

Duncan McAlynn, Solutions Director, Americas
HEAT Software
M: +1.512.391.9111 | duncan.mcal...@heatsoftware.com
HEAT Software |  490 N McCarthy Blvd. Suite 100 | Milpitas, CA 95035

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 10, 2017 16:15
To: 'mssms@lists.myitforum.com' 
Subject: [mssms] Flash Player and SCUP

I’ve got my SCUP installed, the certs are done and on my test machines.  I’ve 
been able to get Flash Player updates into SCCM, packaged up into an updates 
deployment package, and into a SUG.  I’ve deployed this SUG to a test 
collection, holding my 3 machines that have the certs installed.  The 
deployment now says 100% compliant, and none 

[mssms] RE: Flash Player and SCUP

[Heaton, Joseph@Wildlife]

I did not, so I did enable that setting.  I then created a new deployment in 
SCCM for this.  Now, one machine is already showing as Compliant, with no 
folder in CCMCache, and no Flash Player installed.  This machine did have Flash 
Player installed yesterday, 23.0.0.207.  The package I'm testing with is 
deploying 24.0.0.186.  During testing yesterday, I did uninstall 23.0.0.207 
from the one test machine that is currently showing as Compliant.

This brings up a question of expected behavior of deploying this through 
SCUP/SCCM.  If a machine does NOT have Flash Player installed, will this 
deployment install it?  Or does it require Flash Player to be installed in 
order for the deployment to install the new version?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Duncan McAlynn
Sent: Tuesday, January 10, 2017 6:24 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Flash Player and SCUP

Do you have the GPO enabled to accept signed content from an intranet server?

Enable allowance of signed updates.
a) From the tree on the left inside the Group Policy Management Editordialog, 
expand
to Computer Configuration > Policies > Administrative Templates... > Windows
Components > Windows Update.
b) From the main pane, double-click Allow signed updates from an intranet 
Microsoft update
service location.
Note: This option may be called Allow signed content from an intranet Microsoft 
update
service location on different operating older supported operating systems.
c) Select Enabled and click OK.

Duncan McAlynn, Solutions Director, Americas
HEAT Software
M: +1.512.391.9111 | 
duncan.mcal...@heatsoftware.com<mailto:duncan.mcal...@heatsoftware.com>
HEAT Software |  490 N McCarthy Blvd. Suite 100 | Milpitas, CA 95035

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 10, 2017 16:15
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Flash Player and SCUP

I've got my SCUP installed, the certs are done and on my test machines.  I've 
been able to get Flash Player updates into SCCM, packaged up into an updates 
deployment package, and into a SUG.  I've deployed this SUG to a test 
collection, holding my 3 machines that have the certs installed.  The 
deployment now says 100% compliant, and none of the machines have Flash player 
installed.

Ideas on what I may have messed up?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>

[mssms] Flash Player and SCUP

[Heaton, Joseph@Wildlife]

I've got my SCUP installed, the certs are done and on my test machines.  I've 
been able to get Flash Player updates into SCCM, packaged up into an updates 
deployment package, and into a SUG.  I've deployed this SUG to a test 
collection, holding my 3 machines that have the certs installed.  The 
deployment now says 100% compliant, and none of the machines have Flash player 
installed.

Ideas on what I may have messed up?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

RE: [mssms] Adobe FlashPlayer SCUP catalog ?

[Heaton, Joseph@Wildlife]

How do you fix it within SCUP?  I can’t edit that catalog, and can’t add a new 
one, either.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Tuesday, January 10, 2017 11:15 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Adobe FlashPlayer SCUP catalog ?

Apparently they moved the catalog location:  
https://forums.adobe.com/thread/2261432
to be this:  
http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.
 
cab
NOTE, that CaSe matters.  I accidentally put in AdobeFlashPlayercatalog...  
(lower case c) and that failed.

On Tue, Jan 10, 2017 at 1:02 PM, Sherry Kissinger 
mailto:sherrylkissin...@gmail.com>> wrote:
Did Adobe make an announcement and I just didn't see it?

The catalog for FlashPlayer-SCUP was there at 9am central (for old flashplayer 
version)... and not there at noon central when I tried to grab it via SCUP.

If I go to 
https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/sccm.html#available-catalogs
 , it doesn't mention FlashPlayer at all.  I honestly don't remember if it used 
to--and they yanked it.  Flashplayer via SCUP has been there for so many years 
I just don't think about it anymore.

It's not just me...
https://forums.adobe.com/thread/2261440
https://forums.adobe.com/thread/2261432

Just wondering if there was a memo and I missed it.

--
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org




--
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org

RE: [mssms] Adobe FlashPlayer SCUP catalog ?

[Heaton, Joseph@Wildlife]

Never mind my question.  I see there was a space in the path provided, between 
the period and cab.

Thanks very much for sharing this info.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Sherry Kissinger
Sent: Tuesday, January 10, 2017 11:15 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Adobe FlashPlayer SCUP catalog ?

Apparently they moved the catalog location:  
https://forums.adobe.com/thread/2261432
to be this:  
http://fpdownload.adobe.com/get/flashplayer/distribution/win/AdobeFlashPlayerCatalog_SCUP.
 
cab
NOTE, that CaSe matters.  I accidentally put in AdobeFlashPlayercatalog...  
(lower case c) and that failed.

On Tue, Jan 10, 2017 at 1:02 PM, Sherry Kissinger 
mailto:sherrylkissin...@gmail.com>> wrote:
Did Adobe make an announcement and I just didn't see it?

The catalog for FlashPlayer-SCUP was there at 9am central (for old flashplayer 
version)... and not there at noon central when I tried to grab it via SCUP.

If I go to 
https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/sccm.html#available-catalogs
 , it doesn't mention FlashPlayer at all.  I honestly don't remember if it used 
to--and they yanked it.  Flashplayer via SCUP has been there for so many years 
I just don't think about it anymore.

It's not just me...
https://forums.adobe.com/thread/2261440
https://forums.adobe.com/thread/2261432

Just wondering if there was a memo and I missed it.

--
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org




--
Thank you,

Sherry Kissinger

My Parameters:  Standardize. Simplify. Automate
Blogs: http://www.mofmaster.com, http://mnscug.org/blogs/sherry-kissinger, 
http://www.smguru.org

[mssms] RE: Rate limits / throttling to DPs

[Heaton, Joseph@Wildlife]

Ok, so my comment was based on this:

"as no content is ever truly sent to them".

So, if no content is sent to the DP, my thought was, where do clients get the 
content if it's not at the DP.  That's the only reason I brought up clients.

So, to go back to my original question:  Since my DPs are installed on 
secondary sites, is the throttling/rate limit set by the file replication 
section that I have found, or is there no rate limits set between the primary 
and secondary?  And, since the DP is installed on the secondary site, was your 
comment of "as no content is ever truly sent to them", meaning that the content 
is on the secondary site, but not in a specific location for the DP role?  The 
content has to be there somewhere, right?

Sorry if I'm being dense here, it's been a long couple of weeks, and I'm trying 
to increase my understanding.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Wednesday, January 04, 2017 7:21 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Rate limits / throttling to DPs

No, not at all. Everything that's been said in this thread has nothing to do 
with clients. Rate limiting is about how the content gets to the DP and where 
the content is stored once it gets to the DP. Clients will always use DPs based 
on boundaries and boundary groups which as noted has nothing to do with rate 
limiting or the content library.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 3, 2017 3:59 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

Hmm.  So, from reading that, it makes no sense to have a DP on a secondary site 
server?  If no content is actually sent to the DP, then all the clients are 
still getting the content from the Primary site?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, January 03, 2017 11:47 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

Actually, those are rate limits to your secondary site, not the DPs. DPs not on 
site servers do in fact have rate limits tabs. As Michael pointed out below 
though, DPs on site serves don't because they share the content library with 
the site server and so having rate limits on the DP makes no sense as no 
content is ever truly sent to them.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 3, 2017 12:05 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

I found where the setting for Rate Limits is located.  It is no longer on the 
DP properties.  It is located under Hierarchy Configuration - File Replication. 
 Go to the properties for those connections, and there is the Rate Limits tab.

To answer your question, though:  My DPs are on Secondary site servers.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Schultz, Michael A
Sent: Friday, December 30, 2016 11:53 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

Is the DP role in the screenshot a standalone DP or installed on a site server? 
 And did you verify it is missing from all DPs?  Rate Limit tab will not show 
on a DP installed on a site server.

Michael Schultz
Client Systems Engineering
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, December 23, 2016 9:37 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Rate limits / throttling to DPs

SCCM 1606, including the 3 hotfixes

I know this has been discussed, and I know that I've asked a couple of 
questions.  But I'm still a bit lost on what we can, and cannot do, as far as 
bandwidth throttling to DPs.


1)  I don't have a throttling tab in the properties of my DPs:

2)  My DPs are NOT setup as Pull DPs

3)  If I look at my Distribution Point section, and add the Rate Limits 
column, it says No for all my DPs.

[cid:image001.png@01D2666A.3D012F20]


So, knowing these things, is there a way to set throttling like there was back 
in 2007/2012?  I know about the BITS throttling in Client Setti

[mssms] RE: Rate limits / throttling to DPs

[Heaton, Joseph@Wildlife]

Hmm.  So, from reading that, it makes no sense to have a DP on a secondary site 
server?  If no content is actually sent to the DP, then all the clients are 
still getting the content from the Primary site?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Tuesday, January 03, 2017 11:47 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Rate limits / throttling to DPs

Actually, those are rate limits to your secondary site, not the DPs. DPs not on 
site servers do in fact have rate limits tabs. As Michael pointed out below 
though, DPs on site serves don't because they share the content library with 
the site server and so having rate limits on the DP makes no sense as no 
content is ever truly sent to them.

J

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 3, 2017 12:05 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

I found where the setting for Rate Limits is located.  It is no longer on the 
DP properties.  It is located under Hierarchy Configuration - File Replication. 
 Go to the properties for those connections, and there is the Rate Limits tab.

To answer your question, though:  My DPs are on Secondary site servers.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Schultz, Michael A
Sent: Friday, December 30, 2016 11:53 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: Rate limits / throttling to DPs

Is the DP role in the screenshot a standalone DP or installed on a site server? 
 And did you verify it is missing from all DPs?  Rate Limit tab will not show 
on a DP installed on a site server.

Michael Schultz
Client Systems Engineering
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, December 23, 2016 9:37 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Rate limits / throttling to DPs

SCCM 1606, including the 3 hotfixes

I know this has been discussed, and I know that I've asked a couple of 
questions.  But I'm still a bit lost on what we can, and cannot do, as far as 
bandwidth throttling to DPs.


1)  I don't have a throttling tab in the properties of my DPs:

2)  My DPs are NOT setup as Pull DPs

3)  If I look at my Distribution Point section, and add the Rate Limits 
column, it says No for all my DPs.

[cid:image001.png@01D265C9.8D3AD280]


So, knowing these things, is there a way to set throttling like there was back 
in 2007/2012?  I know about the BITS throttling in Client Settings, but is that 
really where we set it for data going from the Primary out to the DPs?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=Dx4rg%2Bg0jKuwf3Rqth2qY8LeiqR5BFzEgzMyMmRMWPo%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=Dx4rg%2Bg0jKuwf3Rqth2qY8LeiqR5BFzEgzMyMmRMWPo%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=6zNPYLdPnhI1KVH9UfIrbpBdbfeIFrcfqSNClY5JiAU%3D&reserved=0>




This message is intended for the sole use of the addressee, and may contain 
information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the addressee you are hereby notified that you 
may not use, copy, disclose, or distribute to anyone the message or any 
information contained in the message. If you have received this message in 
error, please immediately advise the sender by reply email and delete this 
message.

[mssms] RE: Server 2016 and SCCM

[Heaton, Joseph@Wildlife]

I don't.  But on other servers I have access to Windows updates, and usually 
change the setting manually to Never Check.  Looking at the local policy on the 
2016 server, the only Windows Update setting that is configured is the Specify 
intranet Microsoft update service location, which points to my SCCM server.

Guess it's time to look at making that Group Policy.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Tuesday, January 03, 2017 9:52 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Server 2016 and SCCM

Do you have a GPO disabling automatic updates? Check your Windows Updates 
settings in gpedit.msc.

Daniel Ratliff

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, January 03, 2017 10:51 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Server 2016 and SCCM

I installed my first Server 2016 box last week.  Got it in SCCM, SCEP 
installed, showing managed.  When I came in this morning, the server tells me I 
have Windows Updates that need to be installed?  Isn't it supposed to let SCCM 
control that now?  Or does Server 2016 just do things on its own anyway?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<http://saveourwater.com/>
SaveOurWater.com<http://saveourwater.com/> * 
Drought.CA.gov<http://drought.ca.gov/>


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

[mssms] RE: Rate limits / throttling to DPs

[Heaton, Joseph@Wildlife]

I found where the setting for Rate Limits is located.  It is no longer on the 
DP properties.  It is located under Hierarchy Configuration - File Replication. 
 Go to the properties for those connections, and there is the Rate Limits tab.

To answer your question, though:  My DPs are on Secondary site servers.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Schultz, Michael A
Sent: Friday, December 30, 2016 11:53 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Rate limits / throttling to DPs

Is the DP role in the screenshot a standalone DP or installed on a site server? 
 And did you verify it is missing from all DPs?  Rate Limit tab will not show 
on a DP installed on a site server.

Michael Schultz
Client Systems Engineering
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, December 23, 2016 9:37 AM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Rate limits / throttling to DPs

SCCM 1606, including the 3 hotfixes

I know this has been discussed, and I know that I've asked a couple of 
questions.  But I'm still a bit lost on what we can, and cannot do, as far as 
bandwidth throttling to DPs.


1)  I don't have a throttling tab in the properties of my DPs:

2)  My DPs are NOT setup as Pull DPs

3)  If I look at my Distribution Point section, and add the Rate Limits 
column, it says No for all my DPs.

[cid:image001.png@01D265A8.C2260B70]


So, knowing these things, is there a way to set throttling like there was back 
in 2007/2012?  I know about the BITS throttling in Client Settings, but is that 
really where we set it for data going from the Primary out to the DPs?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=Dx4rg%2Bg0jKuwf3Rqth2qY8LeiqR5BFzEgzMyMmRMWPo%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=Dx4rg%2Bg0jKuwf3Rqth2qY8LeiqR5BFzEgzMyMmRMWPo%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7C1144dec03bbd481f11a708d42b70d207%7C2e3190869a2646a3865f615bed576786%7C1&sdata=6zNPYLdPnhI1KVH9UfIrbpBdbfeIFrcfqSNClY5JiAU%3D&reserved=0>




This message is intended for the sole use of the addressee, and may contain 
information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the addressee you are hereby notified that you 
may not use, copy, disclose, or distribute to anyone the message or any 
information contained in the message. If you have received this message in 
error, please immediately advise the sender by reply email and delete this 
message.

[mssms] RE: Site systems never went away after upgrade/replacement

[Heaton, Joseph@Wildlife]

Yes, they are not listed under Servers and Site System Roles

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Schultz, Michael A
Sent: Friday, December 30, 2016 11:55 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Site systems never went away after upgrade/replacement

I know you said you replaced the servers, but did you remove the old ones from 
under Servers and Site System Roles?

Michael Schultz
Client Systems Engineering
Information Systems
Providence Health & Services
michael.schu...@providence.org<mailto:michael.schu...@providence.org>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Thursday, December 22, 2016 1:20 PM
To: 'mssms@lists.myitforum.com' 
mailto:mssms@lists.myitforum.com>>
Subject: [mssms] Site systems never went away after upgrade/replacement

Months ago I did an update to 1602 from 2012R2, blah

During the upgrade I also replaced the servers themselves, in order to go to OS 
2012 R2.  When I installed the new secondary sites, I named them XXXSCCM2, 
since the old names were XXXSCCM1.

When I look at Component Status, I am still seeing both names in the Site 
System column.  How can I clean that up?

[cid:image001.png@01D265A8.DC7D8390]


Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Ca897e09d28f640d04d8c08d42ab2c4ad%7C2e3190869a2646a3865f615bed576786%7C1&sdata=fzfOBK%2B7OgjuLFUe5vCA3Z3fJq%2BWBJoQ2t5KYydTsqg%3D&reserved=0>
SaveOurWater.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsaveourwater.com%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Ca897e09d28f640d04d8c08d42ab2c4ad%7C2e3190869a2646a3865f615bed576786%7C1&sdata=fzfOBK%2B7OgjuLFUe5vCA3Z3fJq%2BWBJoQ2t5KYydTsqg%3D&reserved=0>
 * 
Drought.CA.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdrought.ca.gov%2F&data=01%7C01%7Cmichael.schultz%40providence.org%7Ca897e09d28f640d04d8c08d42ab2c4ad%7C2e3190869a2646a3865f615bed576786%7C1&sdata=903s03ys%2FRg6OMhEumaa%2Fkvr5iYwJnKBEd9TCstq%2FmE%3D&reserved=0>




This message is intended for the sole use of the addressee, and may contain 
information that is privileged, confidential and exempt from disclosure under 
applicable law. If you are not the addressee you are hereby notified that you 
may not use, copy, disclose, or distribute to anyone the message or any 
information contained in the message. If you have received this message in 
error, please immediately advise the sender by reply email and delete this 
message.

[mssms] Server 2016 and SCCM

[Heaton, Joseph@Wildlife]

I installed my first Server 2016 box last week.  Got it in SCCM, SCEP 
installed, showing managed.  When I came in this morning, the server tells me I 
have Windows Updates that need to be installed?  Isn't it supposed to let SCCM 
control that now?  Or does Server 2016 just do things on its own anyway?

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Rate limits / throttling to DPs

[Heaton, Joseph@Wildlife]

SCCM 1606, including the 3 hotfixes

I know this has been discussed, and I know that I've asked a couple of 
questions.  But I'm still a bit lost on what we can, and cannot do, as far as 
bandwidth throttling to DPs.


1)  I don't have a throttling tab in the properties of my DPs:

2)  My DPs are NOT setup as Pull DPs

3)  If I look at my Distribution Point section, and add the Rate Limits 
column, it says No for all my DPs.

[cid:image002.png@01D25D00.17AECAC0]


So, knowing these things, is there a way to set throttling like there was back 
in 2007/2012?  I know about the BITS throttling in Client Settings, but is that 
really where we set it for data going from the Primary out to the DPs?

Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov

[mssms] Site systems never went away after upgrade/replacement

[Heaton, Joseph@Wildlife]

Months ago I did an update to 1602 from 2012R2, blah

During the upgrade I also replaced the servers themselves, in order to go to OS 
2012 R2.  When I installed the new secondary sites, I named them XXXSCCM2, 
since the old names were XXXSCCM1.

When I look at Component Status, I am still seeing both names in the Site 
System column.  How can I clean that up?

[cid:image002.png@01D25C56.0FD780D0]


Thanks,

Joe Heaton
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284

Every Californian should conserve water.  Find out how at:
[SaveOurWater_Logo]
SaveOurWater.com * 
Drought.CA.gov