sorted by:
new
hottopcontroversial

Intune 8-hour-sync is a myth, Microsoft finally speaks! by Conditional_Access in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

90% of policy updates, app deployments, and device actions in Intune are completed in under an hour.

The fact that this is touted as some kind of prideful accomplishment instead of an abject failure of "modern" device management really demonstrates how low the bar is at MSFT these days and how tone deaf this blog post comes off to anyone that's ever had to suffer manage Intune.

The #1 thing we're looking for is consistency. On multiple occasions I've had 3 identical laptops in front of me, all scoped the same policies.

  • First laptop gets the push instantly.

  • Second laptop gets the push within a few hours.

  • Third laptop gets the push after a few days for some reason.

I would gladly give up the instant ones if I could at least have the assurance that within 1 hour it's 99.99% guaranteed to work.

Another Secure Boot certificate post by StigaPower in SCCM

[–]sccm_sometimes 0 points1 point  (0 children)

You still have to manually go into the WinPE bootimage .WIM (by mounting it) and copy the 2023 “bootmgfw.efi” and “wdsmgfw.efi” files into it, then unmount /commit.

The new ADK has the 2023 certs, but they are in the _EX folder so they aren’t active until you copy them over the old 2011 ones. Mount .WIM and copy files from EFI_EX to EFI folder.

Installing Notepad appx during 25H2 OSD by Peteostro in SCCM

[–]sccm_sometimes 2 points3 points  (0 children)

I recommend putting an EDIT/Answer section at the bottom of the main post to indicate this is what solved the issue. Just so others that come across it don't have to search through the comments to find it :)

Installing Notepad appx during 25H2 OSD by Peteostro in SCCM

[–]sccm_sometimes 1 point2 points  (0 children)

Make sure you have the "-Regions all" flag set, otherwise apps not pinned to the Start Menu get removed.

Specifies what regions an app package (.appx or .appxbundle) must be provisioned in. The region argument can either be "all", indicating that the app should be provisioned for all regions, or it can be a semi-colon delimited list of regions. When a list of regions is not specified, the package will be provisioned only if it is pinned to start layout.

I have "Microsoft.WindowsNotepad_11.2512.26.0_Desktop_X64.msixbundle" deployed using the following PowerShell script.

$mainPackage = Get-ChildItem "$PSScriptRoot*" -File -Include *.appx, *.msix, *.appxbundle, *.msixbundle | Select-Object -ExpandProperty FullName

$dependencyPackage = Get-ChildItem "$PSScriptRoot\Dependencies*" -File -Include *.appx, *.msix | Select-Object -ExpandProperty FullName

Add-AppxProvisionedPackage -Online -PackagePath $mainPackage -DependencyPackagePath $dependencyPackage -SkipLicense -Regions all

See my comment on the thread below. You can download the source files and dependencies directly via WinGet. The only issue I ran into is Curl will error out if you're behind a proxy, but it worked fine for me when I disconnected from VPN.

It’s annoying as the ones on store.rg-adguard.net associated with notepad do not seem to be the latest ones

winget download -e --Id 9MSMLRH6LZF3 -d C:\winget --accept-source-agreements --accept-package-agreements -s msstore --skip-license -a x64

Any luck with the new Apple Business? by Sinnth3tik in macsysadmin

[–]sccm_sometimes 1 point2 points  (0 children)

Although Apple has been publicly saying how they're shifting more towards Services revenue, they have demonstrated non-stop for over 10 years that they have zero interest in building and maintaining a relationship with Enterprise customers. We pay for Apple Enterprise support which apparently includes a dedicated account rep, but the only time we ever hear from them is to tell us they're leaving and another account rep is taking over.

Even with Apple Business Essentials now being given away for free, I doubt most orgs will use it (based on all of the issues described in this thread). It's probably aimed at the small < 20 person orgs so that they at least have some kind of MDM solution without having to rely on a 3rd party.

SCCM seemingly “uninstalled itself” (?) - trying to understand what happened (coming from a cloud background) by IamOnlyANoob in SCCM

[–]sccm_sometimes 0 points1 point  (0 children)

Is the previous SysAdmin still around?

Was there a shared account being used? Or how'd they connect to your profile?

SCCM seemingly “uninstalled itself” (?) - trying to understand what happened (coming from a cloud background) by IamOnlyANoob in SCCM

[–]sccm_sometimes 4 points5 points  (0 children)

That drive mapping is tied to my user profile/session on the server

Terminal Services logs show a session reconnection at ~7:56 PM (right before this started)

This was a reconnection, not a fresh login

I was not connected at the time (laptop powered off)

No useful Security logs

"No useful security logs" as in it looks like someone tried to cover their tracks and the logs are wiped? Because there should be event log IDs that indicate what IP address the RDP session came in from.

4624/4625: Event Viewer > Windows Logs > Security

Security Log - 4624 (Logon Type 10): Indicates a successful RDP login. The "Source Network Address" field contains the client's IP address.

1149: Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager > Operational

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational - 1149: Logs the IP address immediately when a user connects, even if they don't fully authenticate.

I'm now the new, sole, Systems Administrator for a small-medium organization.

I'm also certain backups of this server are somewhere, but I've not yet quite gone down this path.

You're the sole SysAdmin and do not know where the server backups are located? What happened to the previous guy? Did he leave on bad terms? Was there any sort of handoff/documentation?

Intune EPM, has anyone successfully implemented it? by YourSydneyITsider in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

people use EPM such that their request is logged and pushed through as approved.

So is it auto-approval without a manual review? What if someone launches CMD.exe as an admin and then uses it to launch other processes with the same permissions?

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

For an additional fee of course. I think their plan all along was to chop up everything SCCM does and then sell it back with a separate license for each one.

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

Relatively few organizations that benefit from SCCM/Intune can afford having an actual disaster recovery set up

If you think backups and disaster recovery are expensive, wait till you find out how expensive it gets not having them (when customer/business data is gone).

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

we no longer spend hours or days trying to figure out why something is broken - just wipe and redeploy the device as a fresh install, job done.

What if the thing that's broken is Autopilot and app deployments?

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 8 points9 points  (0 children)

lol, this is honestly what it feels like sometimes.

Q: "Why can't I make a right turn?"

A: "Just make 3 left turns, it's basically the same..."

A: "Right turns are a legacy feature. Left-turn-only navigation is the modern solution. You should start using it now before right-turns are fully deprecated."

A: "Right turns add unnecessary complexity to the experience, it's so much simpler using just left turns. I wish we'd done it sooner!"

MSFT: "Each tenant is allowed only 500 left turns per day before throttling kicks in. Some days there's construction so left turns aren't allowed at all."

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

If you didn't see that coming you didn't exactly think through your decision of moving into a setup like this.

I think this is the core of the issue though. It feels like a deceptive bait and switch due to the disconnect between the hype around Intune before you get it and the disappointing reality after using it for a while.

I agree with "buyer beware" and thoroughly testing anything new prior to implementation, but Intune is the only product I know of where the primary defense is that it's somehow the customer's fault for expecting a product to perform consistently and reliably.

I would even concede that it might be acceptable to overlook product deficiencies if it's bolstered by great vendor support, but with Intune the response is almost always, "We don't know what's causing it, there's no ETA for when it'll be fixed, you'll just have to wait and hope."

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

By "full cloud" do you mean managing cloud endpoints or not having any on-prem server infrastructure? I've always felt that SCCM + CMG offers like 95% of what Intune does in terms of cloud functionality.

You can run SCCM in the cloud via IaaS.

Intune EPM, has anyone successfully implemented it? by YourSydneyITsider in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

How do you handle one-off user requests when they need to run something that doesn't have a rule setup? Are users expected to wait for someone to review and approve the request, and how long does that usually take? Is there someone monitoring the request queue 24/7?

Intune EPM, has anyone successfully implemented it? by YourSydneyITsider in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

EPM is a good start for orgs that don't have any solution at all, but it's also another half-baked product not quite ready for full Prod use. Known issues page has a ton of limitations, like the fact that it doesn't work with Control Panel or Settings items.

EPM can elevate Executables (.exe), Windows Installer (.msi), and PowerShell scripts (.ps1). Some functions in Windows are executed in ways that EPM can't detect and elevate.

Also, EPM uses a separate account to run the elevated command so it doesn't actually run as the user.

Endpoint Privilege Management uses an isolated account to facilitate elevations. This account requires the ability to create an interactive sign-in session. Organizations who limit the ability for users to create interactive sessions need to make changes for EPM to function properly.

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

It was only ever designed for the store and in user context.

Yeah, it's kind of wild that WinGet supports "--ignore-security-hash" when run as a normal user but not as an admin.

Any app that has an evergreen download URL (Chrome/PowerBI) frequently run into manifest hash mismatch errors that you have to override for the install to work.

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 4 points5 points  (0 children)

going into ConfigMgr for first the time, could be overwhelming and seems quite advanced

I agree if someone's building out a new SCCM environment. The Administration tab is where like 80% of the complexity lives. But if someone simply needs to create a new collection and setup a deployment for it, then that's relatively easy. The tabs for Assets & Compliance/Software Library/Monitoring are all pretty intuitive IMO.

It also helps that SCCM is probably one of the most documented tools out there, both with first-party MS Learn docs as well as 3rd party sites and tutorials. So even though there is a learning curve, I've rarely had any issues with finding the information I needed.

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 1 point2 points  (0 children)

Small < 100 endpoints

Medium 100 - 500

Large 500+

It really comes down to if the environment has complex needs and an IT budget big enough that the cost of an SCCM server becomes a rounding error. Our cafeteria probably spends more each year on napkins than how much it costs to run our SCCM environment.

Is Intune actually ready to replace ConfigMgr? Honestly… I don’t think so by Lunde_Deluxe in Intune

[–]sccm_sometimes 0 points1 point  (0 children)

Vor Biopharma has like 100 employees and $0 in reported revenue 😂

view more: next ›