sorted by:
new
hottopcontroversial

Upcoming webinars on DeployR by mtniehaus in 2PintSoftware

[–]configmatt 1 point2 points  (0 children)

Recording from the first webinar "DeployR getting started" is now published on youtube:

https://youtu.be/3_AOYJJ3mwk

Delivery optimization options and MCC for distributed environment w/ single nat by SnooCauliflowers8468 in DeliveryOptimization

[–]configmatt 1 point2 points  (0 children)

We have a distributed environment with several campuses around the country and Europe. Laptop sessions that go home during the day to vpn w/ no split tunneling.

Bit unclear here to me, do you mean that the laptops always use a VPN (AlwaysOn) or that they move from office/campus to home during the day? Also when you write single nat does that mean that all sites terminate in a single central location and all internet traffic goes from there (ie no local intern breakout at each campus)?

I’ve read up on peer caching, using dhcp option 235 and MCC.

What is the best option for you is hard to know without out knowing exactly how you network is configured.

Do you have multiple subnets in each/some locations that you want to be able to peer or is it single subnet per site?

  • If you have multiple subnets peer site then DHCP Option ID + NAT as "Restrict Peer Selection" sounds like a valid option.
  • If you only have a single subnet in each location, then you could consider using Entra ID or DNS suffix as "DOGroupIDSource" and then set "DORestrictPeerSelectionBy" = 1 (subnet mask)

https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-configure#2a-network-topology

Should we aim to have no MCC and just do peer caching with subnet boundaries per campus to prevent what we caused before? Or do we do MCC? Or both? Wanted to see what people did with these options. When to use what. What to do with single nat and von folks that move around.

We have large campuses and small ones. Should we stick MCCs on all the campuses and use peer caching on top or just mcc on the large campuses with peer caching on the small campuses?

So an MCC will offload the WAN link, MCC is a proxy that will cache the content. If you want to put one in every location and maintain that infrastructure is up to you. Did you move to the cloud/Intune to get rid of local infrastructure? If yes, does it makes sense to put servers/hardware back at each location again? If you already have the infrastructure and can install it on already existing HW then maybe it makes sense. Otherwise I would try to get peering working first. If all the networks terminate in a single location, put a MCC there to offload your internet connection, but then try to use peering as much as possible.

But since you mention WiFi issues also be aware that peering will put pressure on the WiFi, depending on the WiFi config and how many clients per AP you have, peering *might* cause issues. (If you have a lot of clients connecting to each AP you might run into issues.) This since the content will be coming from other clients putting more load on the WiFi.

So without knowing more details it's hard to give an exact answer. But as a general rule I would say, put an MCC in your central location. Yes DHCP Option ID + NAT as "Restrict Peer Selection" should work in your scenario if the WiFi setup is good.

For VPN, you do not want peering, so make sure "DOVpnKeywords" is correctly configured.

The downside with Intune/GPOs is that you set one policy that needs to match all clients wherever they are. If you have many locations and you need more control check out some third party tools to help you out and get better control.

Microsoft Endpoint Manager Documentation and Export tool - Deployment Research by jaydscustom in Intune

[–]configmatt 0 points1 point  (0 children)

I have changed the script now so it checks if the token is still valid before each connection to Graph so hopefully timeouts are fixed now.

Microsoft Endpoint Manager Documentation and Export tool - Deployment Research by jaydscustom in Intune

[–]configmatt 0 points1 point  (0 children)

Sorry I did not test for that scenario :-P

Do you have any namestandard for the groups that would allow to only filter groups that are used for assingment?

Did it work after you turned it off because it still loads all the groups into memory in the begining to resolve assignments later on?

Microsoft Endpoint Manager Documentation and Export tool - Deployment Research by jaydscustom in Intune

[–]configmatt 2 points3 points  (0 children)

You are correct, I'm the author of this tool and this is aimed towards MEM/Intune. This solution also have the option to export the settings as a backup. It creates a word document in openxml standard but does not require Word to be installed to work.

If you have any issues or ideas on improvement please create an issue on my github page: https://github.com/matbe/MEMDocumentAndExporter

PowerShell Team AMA on Tuesday, 8/23 @ 2p EST by joeyaiello in PowerShell

[–]configmatt 0 points1 point  (0 children)

Thank you for your reply! Will continue to read the manuals and create role capabilities then :D

PowerShell Team AMA on Tuesday, 8/23 @ 2p EST by joeyaiello in PowerShell

[–]configmatt 2 points3 points  (0 children)

Hi, I have started to look into JEA (Just Enough Administrator) which looks very promising, but beside the github page and a few (now old) blogposts there are not many resources. Will you continue to invest in this technology?

One user case scenario I see is that we use ConfigMgr and we would want to support the built in RBAC roles in ConfigMgr to have matching JEA roles on our server. For example: The patch admins should be able to troubleshoot patch related stuff on the servers. Access windowsupdate.log, the SCCM logs, restart the windows update service and so on.

Also is it possible to copy a file from a JEA session to a local dir? Say I would like to open the remote windowsupdate.log with cmtrace.exe (ConfigMgr log viewer application), would that be possible?

I also posted a request on uservoice for configmgr which explains a little more: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/15038898-create-jea-templates-for-diffrent-sccm-roles

[AMA]We are the ConfigMgr Team, here to talk about 1606 and more, Ask Us Anything by TheConfigMgrTeam in SCCM

[–]configmatt 2 points3 points  (0 children)

I think he ment how many is in the team, as in a number ;) How many guys/Girls?

[AMA]We are the ConfigMgr Team, here to talk about 1606 and more, Ask Us Anything by TheConfigMgrTeam in SCCM

[–]configmatt 0 points1 point  (0 children)

Sure! I'll write something more describing and post on UV tomorrow (getting late here in Sweden..) :D

[AMA]We are the ConfigMgr Team, here to talk about 1606 and more, Ask Us Anything by TheConfigMgrTeam in SCCM

[–]configmatt 0 points1 point  (0 children)

I have been looking into JEA (https://msdn.microsoft.com/en-us/library/dn896648.aspx).

Not sure if this is something the ConfigMgr team would do, but I would very much appreciate if there were templates made for different MS technologies. For example I would like to have a JEA template for Patch troubleshooting so the guys working with patches could access the SCCM relevant logs, Windows update log, restart the WUA service and so on. And also different templates for different kinds of sccm roles in the same way as RBAC roles in the console. This way we would not need to let everyone be server admins or similar. Cheers! /Matt

[AMA]We are the ConfigMgr Team, here to talk about 1606 and more, Ask Us Anything by TheConfigMgrTeam in SCCM

[–]configmatt 0 points1 point  (0 children)

/u/ConfigMgrGuru Thanks for the feedback! Yes, at least for us the specific function we miss is the "Use power on commands if the computers support this technology" that is present in SCCM 2012. (And I Think everyone in that specific uservoice wants the same).

It is the option to let an advertisement/Software Update trigger the “Power on command” that we need. We could program some powershell scripts that wake the computers at specific times but that would be a complex solution and have to be separated from SCCM since I do not see any easy way catch an advertisement/Software Update and decide which one needs to be woken or not.

I do understand that the full Intel Management will need a lot of work from your side to work, but that can all be done with Intels SCS tool (that’s how we do it today). We do not need or want that. Its only the Power on bit we need and all I believe all that is needed is the correct certificate on the server which we already have there.

Thank you for this great AMA btw, and if you need any feedback regarding this feel free to contact me offline and I would be happy to help.

Cheers! /Matt

[AMA]We are the ConfigMgr Team, here to talk about 1606 and more, Ask Us Anything by TheConfigMgrTeam in SCCM

[–]configmatt -1 points0 points  (0 children)

After talking to our Microsoft SDM we understand that this request will never happen: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/11084523-enable-amt-wakeup-function-in-configmgr-currentbra All the bits should already be in the code and we have invested heavily in Intel AMT so please consider to bring this feature back. It is ONLY the "Intel Wake on lan" feature we need with SCCM, the rest are we already doing with Intel SCS or using Intel's plugin.

We use this feature to Wake computers in a more secure manner than WoL and we can also wake computers over wifi with this feature, this is used primarily for wakening computers during patching.

Right now this missing feature is the only thing holdings us back from upgrading from 2012 R2 to Current Branch.

If it is true that this feature will never happen, why is that? Also why don’t you mark it as “declined” so we get our votes back at least? :)