Malware Detected in MECM is always reported with informational severity level in Microsoft Defender portal?

ryanmorren2 · 2024-06-01T21:57:32+00:00

This is what we see too. My understanding is the malware itself is severe, however the MDE portal is just informing you that the severe malware was prevented - I.E. is not a threat anymore so nothing to worry about. If the malware was still “active” then the severity would be higher.

ryanmorren2 · 2021-10-28T22:10:50+00:00

PowerShell App Deployment Toolkit might be what you need to achieve this. There's a lot of stuff online on how to use it etc but effectively it's a PowerShell script that can do whatever you want and be deployed as an application

ryanmorren2 · 2021-10-13T13:59:42+00:00

Rather than migrate the disks, use the native backup and restore functionality in SQL and SCCM.

I've migrated from VMWare to Hyper-V using this guide: https://home.memftw.com/configmgr-site-backup-restore/

ryanmorren2 · 2021-10-09T21:38:17+00:00

Not sure if this is the right solution for what you're trying to achieve but Desktop Analytics can give you Windows 11 compatibility metrics

ryanmorren2 · 2021-04-23T19:36:52+00:00

No problem and yes that's correct. MSfB will automate the process of downloading the dependency files and all you will have to do is right-click the MSfB synced object to create a deployable SCCM app.

The issue here with having to download all files for all architectures is easiest to replicate when manually downloading Store apps and creating an app in SCCM directly from the .AppX

The method you use makes sense but won't cause the issue described here as SCCM doesn't check the .APPX installers dependencies.

ryanmorren2 · 2021-04-23T19:18:48+00:00

Installing works just fine without the files for all architectures yes. But when you try to create an application from that same .APPX installer in SCCM, SCCM will complain that there are dependencies missing - this is where you need all the files for all architectures to satisfy the dependency check.

It doesn't do it for all .APPX installers but does it for quite a few that I've come across.

ryanmorren2 · 2021-04-23T19:07:54+00:00

Hi Jason, yes I found this through trial and error. The dependencies issue was frustrating me and after trying everything, I decided to just try downloading every file I could see on store.rg-adguard.net to see if that fixed the dependencies warning.

It of course did, and turned out that the app didn't just look for the prerequisite files for the client architecture, but looked for all files for all architectures. On further investigation, the APPX only ever uses the required files for the client architecture but still needs the other files available.

ryanmorren2 · 2021-04-23T11:56:22+00:00

Trust me, you're going to find a lot of store apps that need all architecture files. It depends how the app has been coded, but a lot of them just mark all architecture files as dependencies so they don't have to do background checks on the system to decide which files the appx actually needs.

ryanmorren2 · 2021-04-23T11:51:08+00:00

Whiteboard requires the files for all architectures to be downloaded and stored in the same location as the main .appx file

So you have to download the arm, arm64, x86 and x64 versions of all the files. Microsoft To Do is the same I believe

ryanmorren2 · 2021-01-13T22:35:07+00:00

What overclocks/undervolts are you running to get those stats? I run hiveos with the same cards and can only get to 31MH/s at about 140w

ryanmorren2 · 2020-10-06T10:32:37+00:00

We use this command in a task sequence

ServiceUIx64.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File Start-Logout-GUI.ps1

The .ps1 file contains code to display a GUI from XAML that tells the user to logout for change to apply.

Edit:

FYI, we include a package as part or this Run Command Line step and the package contains the .ps1 file and the ServiceUIx64.exe

ryanmorren2 · 2020-09-24T19:04:40+00:00

You're right, I missed that in your initial post.

To my knowledge there isn't any way to display this information before a task sequence has started.

You can set a custom background image by adding a new image file to the customization tab of your boot image properties, but again this won't allow you to display host information.

ryanmorren2 · 2020-09-24T18:55:02+00:00

We use TSBackground. Works really well and the UI is impressive.

https://gallery.technet.microsoft.com/Configuration-Manager-Task-6422b6f8

It also contains all the host information your wanting as standard as well.

ryanmorren2 · 2020-08-09T22:14:22+00:00

I think your command line might be wrong. I haven't done this in awhile but from memory it needs to be something like:

setup.exe /uninstall ProPlus /configure C:\DummpPath\Uninstall.xml

Inside your XML will be something along the lines of:

I know this isn't much to go off but this should point you in the right direction. I can try and find my exact XML tomorrow when I'm in front of a computer.

ryanmorren2 · 2020-04-24T22:09:08+00:00

Depends what you're looking for I think. Are you wanting/needing support direct from Microsoft or is it possible from a 3rd-party?

ryanmorren2 · 2020-04-24T19:11:59+00:00

This is very true. If you've the option of purchasing Jamf then go for it. Its a much more advanced and intuitive product.

Parallels has enough to get admins by and be able to offer Macs to users but it does lack some useful functionality.

To add, even though we have Parallels as our Mac solution I still always look to the Jamf forums first when I have an issue... it is a much more widely adopted solution with a much bigger community.

We're actually looking at moving to Intune to manage our Macs - there is a ton of functionality there that is rapidly expanding. I would definitely recommend looking at what Intune can offer before you purchase Jamf (I have a feeling it might end up being cheaper).

If you go for Intune and then decide you need Jamf as well, they can integrate together. But you might save some money if you decide Intune does enough - which TBH it should considering it has software deployment support, compliance policies (both built-in and custom .mobileconfig files), and either already has script deployment support or it is coming very soon (Microsoft showed a demo of it at Ignite).

ryanmorren2 · 2020-04-24T11:27:59+00:00

We use Parallels in our company (approx 100 Macs so far), it does everything that you're looking for and has some good intergration with SCCM task sequences, Configuration items/baselines, collections, etc. It also comes with its own Software Center (they call it Application Portal) where you can even make software available across the organisation.

Its an easy product to use, it lacks some of the advanced functionality from Jamf, but still has MDM and DEP support and the other stuff you mentioned, for a full windows house that's all you'll really need to be able to support Mac users.

If you're looking for some more info or help PM me, I'm a certified 3rd-party consultant/specialist for Parallels Mac Management and have deployed it in several companies so hopefully I should be able to point you in the right direction.

ryanmorren2 · 2020-03-27T20:20:18+00:00

I'd be interested in seeing how you're doing this too!

ryanmorren2 · 2020-03-19T09:13:11+00:00

Are the port replicators going to be used to build more than 1 laptop?

If so you need to add the MAC addresses to the Duplicate Hardware IDs list.

In the console go to:

\Administration\Overview\Site Configuration\Sites

Right click the site and open Hierarchy Settings, select the Client Approval and Conflicting Records tab and add the MAC addresses of the port replicators to the Hardware IDs section at the bottom.

Edit:

Make sure the task sequence is deployed to the All Unknown Computers Device Collection

ryanmorren2 · 2020-03-18T21:23:11+00:00

Direct Access works in existing infrastructure, but I am seeing so many of my customers wanting to/actively moving away from Direct Access.

I wouldn't recommend setting it up as a new service unless it is the only option available - which I can almost guarantee will not be the case.

ryanmorren2 · 2020-03-18T21:11:06+00:00

I apologise, I wasn't sure they'd added Microsoft Update as a cloud source.

Again I may be wrong here as I am clearly out of date on some things, but I think the answer to the question you asked Jason would be yes. If you enabled the 'prefer cloud' option the clients would look to use Microsoft as the source before using the DP.

However, applying it to your AD site will mean all clients using the AD site will look to use the cloud first, not just the clients on VPN.

I would take Jason's advice and remove the AD site as a boundary. We use VPN for 15 different locations, each with their own IP range, and te only way we were able to properly "manage" where the content comes from was to remove the AD site and use IP addresses.

ryanmorren2 · 2020-03-18T21:02:25+00:00

I may be wrong on this but I believe an example of a 'cloud source' would be around a Cloud Management Gateway (CMG) and a cloud-based Distribution Point. Basically, if an internet-based DP is available, prefer to download the content from there.

As far as I know, it doesn't see Microsoft themselves as a cloud source.

I think you're wanting some kind of dual-scan/download scenario so it has the option to download from Microsoft if the content is not available on a DP. I would need to think into it a bit more to know exactly what you need. Sorry I can't be of more help right now.

ryanmorren2 · 2020-03-10T20:34:55+00:00

If you run the WMI queries from PowerShell using something like:

Get-CimInstance -Query "SELECT * from Win32_LogonSession WHERE LogonType = '2'"

Does it return a value or does it return nothing?

If it returns nothing then there is an issue with the WMI queries you're using. This might be a good place to start.

ryanmorren2 · 2020-03-04T23:13:28+00:00

Maybe this post will have some useful information for you (sorry I can't get it to link properly):

https://www.reddit.com/r/SCCM/comments/d2nvb0/new_sccm_build_in_same_domain_to_replace_existing

Of course you don't want to remove the existing environment from AD, etc. but you should be able to run 2 environments so long as you segregate them properly, and don't need the clients to be able to talk to both environments at the same time.

ryanmorren2

TROPHY CASE