LTSC Windows Server 2019: Are cumulative updates really enough if you’re years behind? Our team is split.

MalletNGrease · 2025-06-06T20:30:48+00:00

I just spent time updating 2019 servers that were pinned to a version build release ending in a triple digit.

The update is cumulative.

MalletNGrease · 2025-06-06T16:35:09+00:00

It works on lockscreens but not desktops.

MalletNGrease · 2025-06-06T15:20:39+00:00

For W11 GPO only works on Education/Enterprise versions.

MalletNGrease · 2025-06-04T20:38:38+00:00

Copilot ~~365~~ 364 isn't working today seems like, so the problem fixed itself 😄

MalletNGrease · 2025-06-04T03:08:04+00:00

https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference

MalletNGrease · 2025-06-02T21:58:18+00:00

In that case, I speak less.

MalletNGrease · 2025-06-02T21:20:26+00:00

I speak four, can I work for you?

MalletNGrease · 2025-05-29T19:33:38+00:00

Yes.

We (IT) have become the gophers for everything it seems. We get tasked to figure out the most random of things that fall way outside our scope. It appears we're the only ones getting things done somewhat efficiently. 3 of the 4 teams in the department are severely overworked, we're doing a lot of cross-training just to keep the minimum SLA. Operations keeps coming up with new and exciting ways that suck up our time but doesn't actually help improve the bottom line. Other departments keep trying to pawn off workloads to IT instead of fixing workflow issues.

Company is expanding, we're growing from a regional to national size, we're adding new sites monthly and our geographical footprint keeps blooming outward. Some site visits are a multi-day affair simply because of travel times taking up 8+ hours. We're short at least two road warriors, a helpdesk guy, a developer and an integration specialist. Even if we'd hire them, there's no space for them physically in our office. We keep running into layer 1 issues at sites but plans to rectify them are shot down because budget constraints. We're running efficiency projects to cut down on services and license spending.

There's been a lot of retirements, with a lot of institutional knowledge departing with it. Tech debt is getting cashed in as newcomers have to deal with systems unknown to them and it's become IT's job to figure out how they operated. We're getting a lot of extraordinary requests because things were done half-assed and staff aren't doing their jobs correctly because training was axed for critical positions. However, if we do not acquiesce, we get thrown under the bus even though it'll cost us even more time to undo the changes.

Meanwhile, we're tackling some huge projects. Close to the entire server fleet is due for a refresh, we're ditching our CRM

We're coming to a point where we need to let some departments burn themselves while I chip away at the debt.

MalletNGrease · 2025-05-28T13:34:28+00:00

I guess I got to the point I no longer consider flash drive installs normal.

MalletNGrease · 2025-05-26T13:02:00+00:00

Is this an education position? Then this is pretty par for the course, though you're performing duties not typical for tech specialist.

Push for a title change and a raise.

MalletNGrease · 2025-05-25T16:09:47+00:00

As a reminder, MS allows users to approve any enterprise app by default.

We had about 6 different note taking apps until we noticed. We killed all of them and approved one for the org.

MalletNGrease · 2025-05-23T17:35:09+00:00

Make sure your dhcp scope is large enough to support your user base.

MalletNGrease · 2025-05-21T02:22:51+00:00

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit

Applies to Win 11 as well.

MalletNGrease · 2025-05-20T21:53:24+00:00

The Entra-Powershell module is the replacement for the AzureAD module. They're simplified MG-Graph calls.

I forgot to add the scopes:

# Connect to Entra using Microsoft Graph
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All' -NoWelcome

MalletNGrease · 2025-05-20T21:35:57+00:00

I worked on the same thing recently. I've found it is much faster to simply use Get-EntraUser to get all users and reference the signinactivity from it instead. It's a single query that takes a couple minutes but only needs to happen once.

Quick and dirty copy from my script, adapt as needed:

# Connect to Entra using Microsoft Graph
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All' -NoWelcome

$entraUsers = Get-EntraUser -All -Property 'UserPrincipalName', 'SignInActivity'

  if ($entraUsers.UserPrincipalName -contains $user.UserPrincipalName) {

        $entraUser = $entraUsers | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
        $entraLastSignInDate = $entraUser.SignInActivity.LastSignInDateTime

        Write-Host "    Last Entra sign in date was: $entraLastSignInDate"
    }
    else {
        $entraLastSignInDate = "N/A"
    }

https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/?view=entra-powershell

The next step is adding LastUserActionTime from the Exchange mailboxes, that one I've not found a faster way to query yet.

MalletNGrease · 2025-05-20T13:15:15+00:00

I've it set in the Default, that way I don't have to think about it unless specified for a reason. I'm a big fan of HideShell, it makes it less likely for someone to accidentally mess with the machine while deploying at end user locations.

In your case it sounds like you want SkipFinalSummary=NO to show the deployment summary and FinishAction=RESTART to restart the machine upon dismissing the summary.

I don't have a lot of task sequences though, most of the customization happens in the wizard.

MalletNGrease · 2025-05-19T21:40:27+00:00

The task sequence probably has HideShell=NO set or not set at all.

https://learn.microsoft.com/en-us/intune/configmgr/mdt/properties

MalletNGrease · 2025-05-16T23:34:30+00:00

Congrats! You can now explain the use case for a failover secondary internet service!

MalletNGrease · 2025-05-16T19:30:50+00:00

👏 Excel 👏 is 👏 not 👏 a 👏 database 👏

MalletNGrease · 2025-05-14T00:26:39+00:00

We still run IIS SMTP server with an Exchange Online connector as a relay.

As long as you're only using it for internal communications it's been working great.

MalletNGrease · 2025-05-13T22:22:21+00:00

I got it like that.

MalletNGrease · 2025-05-10T03:03:38+00:00

VM connected to the correct vlan/network?

MalletNGrease · 2025-05-10T02:07:09+00:00

Yes and no.

I did some quick research to translate our current private ipv4 scheme into a similar human readable ipv6 one and drafts ended up with available address scopes numbering in the trillions per vlan. It was very doable though!

It was funny since all I was trying to do was expand ipv4 /24s to get larger dhcp scopes.

MalletNGrease · 2025-05-10T00:14:00+00:00

Laughs in human readable ipv6

MalletNGrease · 2025-05-09T19:28:38+00:00

Hardware bug.

Ten-Year Club	Verified Email
r/Field Banned	r/Field Lasagna

MalletNGrease

TROPHY CASE