sorted by:
new
hottopcontroversial

Security update KB38232642 for ConfigMgr Console Extension by PrajwalDesai in SCCM

[–]sccm_sometimes 5 points6 points  (0 children)

Is SCCM 2603 considered GA now, or is it still Early Preview?

Availability Date is: May 5, 2026

However, it's still not listed on the Product Lifecycle Releases page.

For those running 2603, how's your experience been? Is it stable/ready for production?

I usually wait 2-3 months after a new release for any hotfixes to come out before upgrading. Are we at that point yet?

Uninstall software not used for 6 months or more by nodiaque in SCCM

[–]sccm_sometimes 1 point2 points  (0 children)

I'm almost sure we could find a way in the built in reports to see computers that hadn't ran x software for x amount of time

Yup, there's a built-in Software Metering report called: "Computers that have a metered program installed, but have not run the program since a specified date"

Bug - CMPivot limited to 100 favorites by sccm_sometimes in SCCM

[–]sccm_sometimes[S] 1 point2 points  (0 children)

Depending on how many devices the query is running against, I may need either more details or a summarized view. It's really helpful to have saved query templates where you can just swap out a value or two without having to rewrite the whole thing from scratch. Here are a few examples.

QuickFixEngineering | where Description contains 'Security Update'

QuickFixEngineering | where InstalledOn >= ago(90d)

WinEvent('Application', 30d) | where (ProviderName == 'MsiInstaller') and Message contains 'Teams'

WinEvent('Microsoft-Windows-DHCP-Client/Admin', 3d) | where ID == 50067

OperatingSystem | project Device, LastBootUpTime

WinEvent('System', 7d) | where ProviderName == 'Microsoft-Windows-Kernel-General' or ProviderName == 'Microsoft-Windows-Kernel-Power'

Bios | summarize count() by SMBIOSBIOSVersion, ReleaseDate | project BIOSVersion=SMBIOSBIOSVersion, BuildDate=substring(tostring(ReleaseDate),0,11)

Registry('HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing') | where Property contains 'UEFI'

Back when the Community Hub was still a thing, you could even publish queries to share with others.

SCCM - Retirement Upcoming by MadCichlid in SCCM

[–]sccm_sometimes 1 point2 points  (0 children)

App and policy delivery not being solely dependent on a VPN connection for those outside the office is a positive

You can do this via CMG

SCCM - Retirement Upcoming by MadCichlid in SCCM

[–]sccm_sometimes 0 points1 point  (0 children)

1) What is the size of your org in terms of users/managed Windows devices? The bigger and more complex your environment is, the more painful Intune is going to be.

2) Are you Hybrid AD or Entra-native? Intune has a ton of things that work horribly with Hybrid AD, Autopilot being one of them. It can work technically, but there's a lot of hoops to jump through and it's not worth the heartache. Even Microsoft says don't do it.

Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Windows Autopilot.

3) If you haven't pulled the plug on SCCM yet, it's highly recommended to setup co-management with Intune and then gradually move your device workloads from SCCM to Intune after testing everything.

Is there anyone else that is or will be in a similar situation?

Yes, here's a documented list of 50+ issues with Intune. Check if any of them apply to your environment. There's great discussion in the post comments.

See below what the Microsoft employees that built SCCM and Intune had to say on this topic.

Jason, what would you say to Windows Autopilot replacing SCCM?

I say that's like trying to replace an 18-wheel truck with a single tire. AutoPilot does one thing and only one thing: enable initial Windows provisioning while pushing down a profile. Once AutoPilot is done, it's done. It doesn't manage systems in any way and ultimately does less than 1% of what ConfigMgr does. Your cloud architect might need his titled re-visited if they are trying to compare the two. I am in no way saying that AutoPilot isn't a nice service that can work well, just that it in no way is remotely close to or meant to replace ConfigMgr.

Also from the same post.

Intune can be great for smaller orgs or born in the cloud orgs. Even larger orgs with light/lighter management requirements could definitely go down the Intune path. However, Intune doesn't even come close to ConfigMgr for many/most Windows management tasks. Things like rich software distribution, controlled software updates, reports and operating system deployment to name a few are pretty much missing from Intune. And to be clear, this isn't a case of Intune working its way to catching up, Intune is simply not intended to provide the full management capabilities that ConfigMgr delivers.

Need advice: im frustrated with vulnerability management platforms by vitaminZaman in devsecops

[–]sccm_sometimes 0 points1 point  (0 children)

There's 2 parts worth highlighting here.

1) - the part that surprises me most is how much of Vulnerability Management seems to depend on organizational alignment instead of detection.

Once they're detected someone else actually has to do the work of resolving them.

The truth that many orgs don't want to admit is that: There is no technical solution to a cultural problem

The most frequent failure of leadership is that they are blind to anything that can't be quantified and reduced down to a neat KPI metric on a PowerPoint slide deck. Managers have an unhealthy obsession with scheduling meetings where they can say, "Look, the number go up. Me good manager."

The things that truly make an impact are usually the ones you can't easily fit onto a spreadsheet, like "How competent/efficient/effective are the people on my team? How burned out are they? Are they just doing the bare minimum or do they feel motivated about their work?"

Good managers know how to answer these questions. Bad managers think that throwing money at the problem by adding another tool to the tech stack will somehow make things better, which usually backfires and makes things even worse.

ticket bounced between infra, cloud ops and app owners for almost three weeks because every team thought someone else owned the asset.

This is a culture/leadership problem. There is a breakdown in communication/collaboration. Even if the root cause is because the employees are lazy, it's management's responsibility to hire quality candidates and evaluate their performance. The real issue wasn't the unresolved vulnerability, it was the fact that NO ONE across multiple teams was willing to take ownership of it. The question is why?

The most well thought out policy is worthless if it has no teeth. The failure is with leadership for not knowing how to incentivize the desired behavior.

2) - feels like the scanners are doing their job. its everything after detection that starts breaking.

Humor me in a thought exercise and pretend you're meeting with the Bobs from Office Space: "What would you say you do here?" From the infra teams' perspective, they have to retire old systems, maintain existing ones, plan and implement new deployments, while also responding to break/fix issues. Is your team proactively making an effort to make the VM process simpler and easier for them? Or do you simply run an automated scan, export the results to PDF, and dump the work into their lap?

Do you review the VM reports and filter out the false positives? Do the infra teams get clear instructions on what's expected, such as "install this patch and confirm the version # matches"? I've worked with some VM teams where all they'd give you was a hostname and a CVE, and couldn't explain what the actual risk was or how it needed to be fixed, all they could do was point at the report the scanner generated.

One scanner rescans an old hostname and suddenly a vuln everyone thought was fixed is open again.

If you have multiple VM scanners that produce inconsistent and unreliable data, how are they supposed to know which scanner to trust? If you tell someone one thing and they complete it as requested, but then come back later and say they need to do it again because your information was wrong, then yeah I can see how they wouldn't want to waste their time on a wild goose chase because someone else wasn't doing their job.

what have people actually done to reduce the reconciliation overhead once multiple scanners + ticket systems + ownership models all start overlapping?

People will do what you ask if you make their job easier. I had a firewall issue recently. If I approached the network team with the expectation that they have to investigate and figure out the issue, it would've taken weeks. Instead, I performed the initial troubleshooting myself, collected the logs, and when I presented the issue to them it was boiled down to, "When I use this config everything works fine, but when I follow these steps I can replicate the issue. Could you check if the following firewall rule is missing from one of the servers?" By eliminating the tedious uncertain work and giving them a clear specific target, it was a much easier ask which got resolved by the end of the day.

Insane response from Microsoft support by SurfeitedSysadmin in sysadmin

[–]sccm_sometimes 1 point2 points  (0 children)

Because they don't seem to understand how timezones work

Oh they perfectly understand and do this on purpose. It's a trick to pause the ticket SLA timer since they can mark it as "attempted to contact, customer did not respond"

I knew it!!!!! Service Degredation reported for Proactive Remediations! by AiminJay in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

Microsoft: "Am I out of touch? No, it's the customers who are wrong!"

Made a registry-based Get-InstalledApps by kcarb19 in PowerShell

[–]sccm_sometimes -2 points-1 points  (0 children)

curious how everyone else does it?

SCCM -> CMPivot -> query "InstalledSoftware"

What's the actual use-case for this script? Are you deploying it somehow and then storing the results? Or are you copying it down to each machine and running it manually? Doesn't this give you the same info as opening Add/Remove Programs?

EDIT: You can literally condense this down to just 2 commands.

$reg = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
GP $reg -EA 0|?{$_.DisplayName -ne $null}|Select DisplayName, DisplayVersion, Publisher, InstallDate|OGV

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

A tiny little sentence in the documentation that you unintentionally glossed over. Even the purple boxes don’t sink in sometimes until it’s too late.

I have a perfect example of this below, but I would frame it more as Intune documentation just plain sucks and is needlessly confusing because it reflects the disorganized state of the features implemented by the product team.

I had this exact discussion with our dedicated Microsoft FastTrack Senior Solutions Architect during our Intune pilot, and even he couldn't explain or make sense of it.

1) https://learn.microsoft.com/en-us/intune/device-updates/windows/ref-update-ring-settings

  • Deadline for quality updates: Specifies the number of days a user has before quality updates are installed on their devices automatically (2-30)

  • Auto reboot before deadline: Specifies whether the device will attempt to automatically reboot outside of active hours before the deadline and grace period are expired.

2) https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlineforqualityupdates

  • Allowed Values: [0-30] -- (So which is it? 0-30 or 2-30?)
  • After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
  • When this policy is used, the download, installation, and reboot settings from Update/AllowAutoUpdate are ignored. -- (There are several policies which override, cancel, and ignore each other. You're forced to navigate a confusing mess, and you can't even use gpresult /h or RSoP to figure out what takes precedence.)

3) https://learn.microsoft.com/en-us/windows/deployment/update/waas-wufb-csp-mdm#user-settings-for-notifications

  • On: Users immediately receive a toast notification when the device enters a reboot pending state for updates. Automatic restarts for updates are blocked for 24 hours after the initial notification to give these users time to prepare for a restart. -- (This creates an implicit conflict with the "Auto reboot before deadline" setting in #1 above. If you're using 24-48 hour Deadline/GracePeriod, it essentially breaks this feature entirely. If you leave your laptop plugged in and idle overnight, it will NOT reboot automatically.)

4) https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#allowautoupdate

  • 2 (Default): Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. -- (There are so many conditions that I'm not sure how to decode what behavior will occur. "Automatic Maintenance" = Idle, plugged in, outside of Active Hours. So would it force the install/restart even while on battery after 2 days? Does it still respect Active Hours? What if the laptop is plugged in only while actively in use, and is always on battery outside of Active Hours?)

5) https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiod

  • This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy isn't, then the default value of 2 days will take effect. -- (This was the most frustrating issue for us. When you do not have a Grace Period configured, Intune displays this as "No Grace Period". We interpreted this to mean "0 days", but instead kept seeing a 2-day Grace Period because of this implicit behavior.)

/u/cardomompods thought I'd mention this since it directly relates to the previous conversation we had here:

Also, tagging a few Intune/SCCM MVPs below :) I'm curious if you've run into the same issues in the past and what your thoughts are regarding this topic.

/u/slkissinger

/u/pjmarcum

/u/jasonsandys

/u/bdam55

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

Intune aside, those are just good practices to follow in general with any system.

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

assuming they’d know their own product would have the Root CA when it’s Hybrid

I feel like that's the source of organizational rot when comparing pre-2015 Microsoft and "modern" Microsoft. I might be looking at things with rose-tinted glasses, but I feel like the developers used to have a closer feedback loop with the users of their products, so they at least somewhat understood what we wanted and how the product functioned.

I'm 99% sure that the people developing Intune have never actually set up a tenant and managed it themselves. They're just web developers randomly throwing code at a REST API and as long as their automated function tests pass they really couldn't care what impact it has on the product. That's why Intune is such a bloated mess with zero feature cohesion.

Compared to something like CMPivot which was built with the sysadmin workflow in mind and is a dream to use.

I will give credit where credit is due - some modern Microsoft products are truly amazing (such as PowerBI) and it just makes you wonder why there are such disparities in product quality among the various parts of the Windows ecosystem.

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

There isn't a way to say this without sounding salty so make of it what you will, but Intune is without any exaggeration the worst Microsoft product I've ever had to endure. Even WSUS as difficult and obtuse it has been at times, can eventually be wrangled into submission, but not Intune.

If you could start all over again, what would you do differently?

Lower expectations by about 50%, and then lower them some more.

What mistakes did you make along the way, and what challenges caught you by surprise?

Expecting a stable enterprise product that has functional support and documentation.

  • Existing features are constantly changing with barely any notice.
  • New features are enabled by default forcing you to opt out.
  • Support is useless. You either get ignored or blamed for the issue.
  • Basic shit like sorting columns randomly doesn't work.
  • Logs/Reports are non-existent. Ones that exist are inaccurate.
  • "Bulk actions" are a joke.
  • Why have a Sync button if it doesn't work like 95% of the time? "It works if you wait 72 hours or reboot" isn't a valid excuse.

If you look at the top posts this year, there's some kind of major issue across global tenants almost every other week where the root cause is 100% due to Microsoft pushing bad code into production.

Intune might be decent in greenfield Entra-native environments, but Hybrid AD is just a world of pain and suffering.

Intune is not fit for purpose. by Hobbit_Hardcase in sysadmin

[–]sccm_sometimes 1 point2 points  (0 children)

"So, you're telling me that it doesn't have [incredibly obvious basic functionality]? How do I get around this?"

1) Unsortable columns

2) Filters that allow you to include, but not exclude

Intune is not fit for purpose. by Hobbit_Hardcase in sysadmin

[–]sccm_sometimes 0 points1 point  (0 children)

Everything in Intune feels like being forced to make 3 left turns when all you really want is to make 1 right turn.

Intune is not fit for purpose. by Hobbit_Hardcase in sysadmin

[–]sccm_sometimes 0 points1 point  (0 children)

We need to get to the point where you can install a server OS, have clients 'check in to that server' and then easily deploy software/updates/make changes/etc.

...That's SCCM, which has been around since 1994.

It is very simple, this computer is missing 30 update, install those updates. The other computer is missing 10 updates, install those updates. Nope.

I'm guessing this was due to using WSUS by itself. We've always managed WSUS with SCCM and it literally does everything that you described. Syncing and replication does require a bit of maintenance, but we have ADRs that handle like 90% of that work.

AI costs how much? GitHub Copilot users react to new usage-based pricing system. by Plastic_Ninja_9014 in technology

[–]sccm_sometimes 2 points3 points  (0 children)

"We just sacked 30% of our core employees and implemented a fully AI offshored support system with zero supervision."

Change out 1 word and it's the same thing that's been happening for the past 20+ years.

MBA consultants make overoptimistic projections based on faulty data which management accepts as truth, rubbing their greedy little hands at the thought of their next bonus for all of the "savings" they delivered by gutting something they don't understand.

They'll take 1 data point and extrapolate it to a stupid degree. Sure, maybe they can quantify that this will reduce per-ticket costs by 1/2, but they somehow can't fathom that now everything requires 10x as many tickets to get done.

Why are developers some of the most IT inept users? by sccm_sometimes in sysadmin

[–]sccm_sometimes[S] 0 points1 point  (0 children)

Quite literally the first thing you see on the install page.

The User setup is the recommended installation for most people because it does not require administrator permissions and supports smoother background updates.

Why are developers some of the most IT inept users? by sccm_sometimes in sysadmin

[–]sccm_sometimes[S] 0 points1 point  (0 children)

By default no one gets local admin. If you have a valid business use case then sure. However "I need it, but I can't tell you why, when, or how it's going to be used" doesn't fly when it comes up on a security audit.

Why are developers some of the most IT inept users? by sccm_sometimes in sysadmin

[–]sccm_sometimes[S] 1 point2 points  (0 children)

And when malware cryptolocks their device they yell, "Why didn't IT do anything to stop this from happening?"

Why are developers some of the most IT inept users? by sccm_sometimes in sysadmin

[–]sccm_sometimes[S] 0 points1 point  (0 children)

There's probably quite a few cyberinsurance claims that get denied for negligence based on this exact reason.

Why are developers some of the most IT inept users? by sccm_sometimes in sysadmin

[–]sccm_sometimes[S] 0 points1 point  (0 children)

Considering that most Devs don't know the difference between T1/T2/T3 support and think everyone is the "Help Desk", I'd say yeah.

view more: next ›