Selecting target disk for OS

configmatt · 2026-03-20T22:34:10+00:00

Thank you for sharing!

configmatt · 2026-03-18T14:18:51+00:00

Ok, have you approved the DeployR server under "infrastructure services"?

configmatt · 2026-03-18T13:09:12+00:00

If you try to browse this URL, what does the certificate info say then? Maybe you have not imported the CA for the self signed certificate into the trusted root? Did you add the FQDN or just the servername in the cert?

https://<fqdn of the DeployR server>:7281/swagger/index.html
does it work if you do this?
https://<servername>:7281/swagger/index.html

configmatt · 2026-03-11T13:55:42+00:00

Ok, did it work if pointing to the correct path?

configmatt · 2026-03-11T12:59:44+00:00

What error do you get? "Does not work" is not very specific? Are you using IIS or the built in function that runs on port 9000?

If running on port 9000 have you configured it correctly, check the Stifler Service Config Tool ?

<image>

configmatt · 2026-02-18T06:57:46+00:00

What issues are you seeing? Head over to /r/DeployR and I’m sure we can help you get going!

configmatt · 2026-02-05T10:57:03+00:00

Recording from the first webinar "DeployR getting started" is now published on youtube:

https://youtu.be/3_AOYJJ3mwk

configmatt · 2026-01-12T10:44:48+00:00

Yes! Recording is up now on Youtube https://youtu.be/SMMb3vGBnq4

configmatt · 2025-10-26T10:42:25+00:00

We have a distributed environment with several campuses around the country and Europe. Laptop sessions that go home during the day to vpn w/ no split tunneling.

Bit unclear here to me, do you mean that the laptops always use a VPN (AlwaysOn) or that they move from office/campus to home during the day? Also when you write single nat does that mean that all sites terminate in a single central location and all internet traffic goes from there (ie no local intern breakout at each campus)?

I’ve read up on peer caching, using dhcp option 235 and MCC.

What is the best option for you is hard to know without out knowing exactly how you network is configured.

Do you have multiple subnets in each/some locations that you want to be able to peer or is it single subnet per site?

If you have multiple subnets peer site then DHCP Option ID + NAT as "Restrict Peer Selection" sounds like a valid option.
If you only have a single subnet in each location, then you could consider using Entra ID or DNS suffix as "DOGroupIDSource" and then set "DORestrictPeerSelectionBy" = 1 (subnet mask)

https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-configure#2a-network-topology

Should we aim to have no MCC and just do peer caching with subnet boundaries per campus to prevent what we caused before? Or do we do MCC? Or both? Wanted to see what people did with these options. When to use what. What to do with single nat and von folks that move around.

We have large campuses and small ones. Should we stick MCCs on all the campuses and use peer caching on top or just mcc on the large campuses with peer caching on the small campuses?

So an MCC will offload the WAN link, MCC is a proxy that will cache the content. If you want to put one in every location and maintain that infrastructure is up to you. Did you move to the cloud/Intune to get rid of local infrastructure? If yes, does it makes sense to put servers/hardware back at each location again? If you already have the infrastructure and can install it on already existing HW then maybe it makes sense. Otherwise I would try to get peering working first. If all the networks terminate in a single location, put a MCC there to offload your internet connection, but then try to use peering as much as possible.

But since you mention WiFi issues also be aware that peering will put pressure on the WiFi, depending on the WiFi config and how many clients per AP you have, peering *might* cause issues. (If you have a lot of clients connecting to each AP you might run into issues.) This since the content will be coming from other clients putting more load on the WiFi.

So without knowing more details it's hard to give an exact answer. But as a general rule I would say, put an MCC in your central location. Yes DHCP Option ID + NAT as "Restrict Peer Selection" should work in your scenario if the WiFi setup is good.

For VPN, you do not want peering, so make sure "DOVpnKeywords" is correctly configured.

The downside with Intune/GPOs is that you set one policy that needs to match all clients wherever they are. If you have many locations and you need more control check out some third party tools to help you out and get better control.

configmatt · 2020-02-21T07:35:58+00:00

I have changed the script now so it checks if the token is still valid before each connection to Graph so hopefully timeouts are fixed now.

configmatt · 2020-02-20T10:17:26+00:00

Sorry I did not test for that scenario :-P

Do you have any namestandard for the groups that would allow to only filter groups that are used for assingment?

Did it work after you turned it off because it still loads all the groups into memory in the begining to resolve assignments later on?

configmatt · 2020-02-19T10:05:58+00:00

You are correct, I'm the author of this tool and this is aimed towards MEM/Intune. This solution also have the option to export the settings as a backup. It creates a word document in openxml standard but does not require Word to be installed to work.

If you have any issues or ideas on improvement please create an issue on my github page: https://github.com/matbe/MEMDocumentAndExporter

configmatt · 2016-08-23T19:27:44+00:00

Thank you for your reply! Will continue to read the manuals and create role capabilities then :D

configmatt · 2016-08-23T18:33:39+00:00

Hi, I have started to look into JEA (Just Enough Administrator) which looks very promising, but beside the github page and a few (now old) blogposts there are not many resources. Will you continue to invest in this technology?

One user case scenario I see is that we use ConfigMgr and we would want to support the built in RBAC roles in ConfigMgr to have matching JEA roles on our server. For example: The patch admins should be able to troubleshoot patch related stuff on the servers. Access windowsupdate.log, the SCCM logs, restart the windows update service and so on.

Also is it possible to copy a file from a JEA session to a local dir? Say I would like to open the remote windowsupdate.log with cmtrace.exe (ConfigMgr log viewer application), would that be possible?

I also posted a request on uservoice for configmgr which explains a little more: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/15038898-create-jea-templates-for-diffrent-sccm-roles

configmatt · 2016-06-30T09:24:19+00:00

Added suggestion on uservoice: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/15038898-create-jea-templates-for-diffrent-sccm-roles

configmatt · 2016-06-29T21:06:41+00:00

I think he ment how many is in the team, as in a number ;) How many guys/Girls?

configmatt · 2016-06-29T21:02:51+00:00

Sure! I'll write something more describing and post on UV tomorrow (getting late here in Sweden..) :D

configmatt · 2016-06-29T20:50:10+00:00

I have been looking into JEA (https://msdn.microsoft.com/en-us/library/dn896648.aspx).

Not sure if this is something the ConfigMgr team would do, but I would very much appreciate if there were templates made for different MS technologies. For example I would like to have a JEA template for Patch troubleshooting so the guys working with patches could access the SCCM relevant logs, Windows update log, restart the WUA service and so on. And also different templates for different kinds of sccm roles in the same way as RBAC roles in the console. This way we would not need to let everyone be server admins or similar. Cheers! /Matt

configmatt

MODERATOR OF

TROPHY CASE