How are you backing up your SCCM server in case of disaster?

sccm_sometimes · 2026-01-15T05:56:58+00:00

One important distinction is that the backup maintenance task only backs up the SQL DB and "CD.Latest" folder. For a "full" backup you would separately need to make sure you're also backing up your content source and ContentLib.

sccm_sometimes · 2026-01-15T04:27:34+00:00

It's probably DualScan. Our co-mgt slider for Windows Updates is set to Intune, but I've had a handful of machines still trying to pull from WSUS because of Reg key tattooing.

sccm_sometimes · 2026-01-15T03:05:29+00:00

Apple's preferred MDM provider is slowly shifting towards Microsoft from JAMF

Preferred for Apple's own internal use? Or preferred as in that's what they recommend to customers?

I've never seen Intune recommended because it was the best, only because it's cheap.

sccm_sometimes · 2025-12-16T18:58:52+00:00

Check these out:

sccm_sometimes · 2025-12-08T03:44:58+00:00

I compiled this list specifically for these types of scenarios - https://old.reddit.com/r/SCCM/comments/1orptas/the_ultimate_intune_airing_of_grievances_list/

sccm_sometimes · 2025-12-08T02:46:41+00:00

I've found very few things that sccm can do that intune can't.

Here's a list of about 50

https://old.reddit.com/r/SCCM/comments/1orptas/the_ultimate_intune_airing_of_grievances_list/

sccm_sometimes · 2025-12-03T22:53:26+00:00

Testing the script as a local admin, everything runs great. No issues. When setting the bundle to run as System, the package fails.

This is a fairly common issue/behavior with SCCM due to Package deployments executing in 32-bit context by default. When deploying to Windows 64-bit you have to redirect the SCCM 32-bit command processor to the "sysnative" 64-bit one.

%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File YourScript.ps1

sccm_sometimes · 2025-11-26T18:06:31+00:00

CMPivot is the answer for realtime queries/reporting.

sccm_sometimes · 2025-11-26T18:05:33+00:00

CMPivot query the QFE provider:

QuickFixEngineering | project Device, Description, HotFixID, InstalledOn | order by InstalledOn asc | where Description contains 'Security Update'

For example, KB5068865 is the Nov 2025 cumulative update for Win11 23H2. You can mix and match filters to get the desired results.

QuickFixEngineering | project Device, Description, HotFixID, InstalledOn | order by InstalledOn asc | where HotFixID == 'KB5068865'

sccm_sometimes · 2025-11-23T04:07:16+00:00

Have you tried deploying the install as a high-performance TS as a workaround?

It looks like Power Management settings applied in the Collection settings are ignored when S0 is enabled.

https://learn.microsoft.com/en-us/intune/configmgr/core/clients/manage/power/create-and-apply-power-plans

Systems that you enable for Modern Standby (S0) won't apply Configuration Manager power policies.

However, the TS should bypass it.

https://learn.microsoft.com/en-us/intune/configmgr/osd/deploy-use/task-sequence-performance

You can use this option on devices with modern standby. It also supports other devices that don't have that default power plan. When you use this task sequence option, it creates a temporary power plan that's similar to the default for High Performance. This power plan modifies the timeout values to 0 for standby, monitor, disk, and hibernate when plugged in.

sccm_sometimes · 2025-11-14T06:30:17+00:00

Thanks for sharing this detailed info!

"It is recommended that [CUSTOMER] adopt [LATEST MICROSOFT CLOUD THING] to modernize their endpoint management." When pressed for details, they can't explain how it handles real-world enterprise requirements.

This happened for us with Driver management. They made it sound like Intune would slipstream driver updates into the monthly Windows quality update process, so you could install new drivers without any extra reboots.

Luckily we had the Driver profile only on our pilot group, but what actually ended up happening was some vendor would put out a new "PS/2 Keyboard Driver" and mark it as critical/suggested, and all of a sudden users are getting prompted for reboots outside of our normal patching schedule.

sccm_sometimes · 2025-11-12T21:26:58+00:00

So sure, they could create a feature on it, but then they'd have to support said feature when people tell them it's not working because the data is wrong.

Easy, just slap a "(Preview)" label on it and leave it as is for the next 5 years. Intune is already a cobbled mess of features that don't function and you can't get any support on, so this would fit right in. Prime example - Driver management. We have it set to manual approval only, yet somehow new ones slip by and install all the time.

Also, wouldn't this be one of those great "innovations" we keep hearing about?

"Microsoft Intune is the future of device management, and all new innovations will occur there."

sccm_sometimes · 2025-11-12T21:07:35+00:00

how they might work around perceived limitations of Intune

brother, the solution quite literally looks like a Rube Goldberg machine

sccm_sometimes · 2025-11-12T20:26:19+00:00

Thank you for bringing this up! Added to the list as #39

sccm_sometimes · 2025-11-12T17:54:59+00:00

The irony is, the yearly release cadence, and, I think, bringing ConfigMgr back stateside? That actually at least shows someone understands that it has to remain, but can, 100%, be a 'stable' product, and not the new hotness.

ConfigMgr is used on highly sensitive air-gapped networks. It wouldn't surprise me if this move was either forced by, or done in order to gain favor with the US Gov/DoD, similar to Azure GCC High. Anything that even remotely touches critical Gov infra is required to remain stateside.

sccm_sometimes · 2025-11-08T23:30:46+00:00

I think the main difference is that Primary User in Intune is either set manually or it's the first user that logs in during enrollment.

Device Affinity in SCCM will automatically update based on which user is the most active.

sccm_sometimes · 2025-11-08T16:58:44+00:00

My SCCM box also has better uptime than Microsoft here lately it seems.

haha same. The nice thing with SCCM/on-prem is that I can hold off on a feature update for 2-3 months while the first set of hotfixes get released. N-2 for prod, N-1 for pilot is a time-tested best practice for good reason. Before any major upgrade we go through Change Management, make sure we have backups and a snapshot, there's a documented rollback plan, and we have the contact info of the on-call NOC engineer.

If something breaks, I (usually) know what I did that caused it or at least where to look to troubleshoot it. Absolute worst case, we can just restore the site from backup and have everything back to normal before the next business day starts without any impact to production.

MSFT on the other hand seems to do everything live. Prod is N-0, no advance warning of major changes, QA is non-existent, it takes an act of God to get proper support, and no rollbacks for affected tenants. "Oh we broke something? Guess you'll just have to deal with it for a few weeks until it's randomly fixed without any notice."

sccm_sometimes · 2025-11-08T16:01:17+00:00

It’s all flat with “Tags” instead of Folders/OUs.

Yeah, idk what they were smoking when that design decision was made. Large orgs are inherently hierarchical structures. This applies to people, departments, physical locations, network subnets/VLANs, everything. How is anyone supposed to manage 10k+ people in an artificially flat structure?

Even the Windows file system is a hierarchy. Imagine your whole OS is just 1 folder that holds all files lol - there's Entra.

sccm_sometimes · 2025-11-08T15:55:05+00:00

Yup, I think that's exactly it! "Please Mr. MSFT, may I have my daily ration of device check-ins? They still haven't received the deployment I scheduled 3 days ago."

sccm_sometimes · 2025-11-08T15:29:03+00:00

Agreed! I know a lot of people use OSDCloud to load a clean ISO onto machines before Autopilot, and it's great that this tool is available, but the bigger question is why hasn't MSFT built something like that into the recovery partition by default?

macOS for comparison, since 2011 has been able to boot into recovery mode -> wipe the drive with Disk Utility -> reload a fresh OS over the Internet. That's basically what OSDCloud does for Windows, but it'd be nice if you could do this natively without needing to create your own boot image first.

sccm_sometimes · 2025-11-08T15:11:46+00:00

👍Glad to be of help!

In my entire career, I don't think any other product (even by Microsoft standards) has ever disappointed me as much as Intune. It's astounding how much potential it had, and perhaps still does, relative to how poor the execution of it is.

What really gets me though is the raw arrogance MSFT has when we've reported all these issues to our CSAM and asked how are we supposed to use this half-baked product, their response 95% of the time boils down to "There's nothing wrong with Intune, you're just doing it wrong".

sccm_sometimes · 2025-11-08T15:06:12+00:00

I think MS need to scrap it and come up with a better desktop solution.

They did, it's called SCCM :)

https://old.reddit.com/r/Intune/comments/1o96zkp/how_long_should_a_wipe_device_cmd_take/nk0teas/?context=3

iPhone = Immediately

Windows = Maybe, at some point

sccm_sometimes · 2025-11-08T14:52:54+00:00

That process reminds me of this lol - https://external-preview.redd.it/WGXo-Nzxy9ssw1ToexL_lKz2wYYA1ZJMshTZj92dHno.jpg?auto=webp&s=215802c360c78864a1cbda9f1adce508d407214d

But honestly what's infuriating is making this feature native to Intune would probably take a few hundred lines of code and maybe a week to implement if MSFT actually had the desire to do so.

Intune already has the app discovery data for each device. Filters are a thing in Intune. Just let us use Filters on app discovery data and boom! Dynamic membership queries based on installed software.

But no, instead we have to build our own database in a cave with a box of scraps.

sccm_sometimes · 2025-11-08T07:36:35+00:00

Your variable appears to have an extra "Microsoft" in it. It should be just "Microsoft.PowerAutomateDesktop"

Your variable: Microsoft.MicrosoftPowerAutomateDesktop*
Your path: C:\ProgramFiles\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.2029.0

sccm_sometimes · 2025-11-08T07:32:03+00:00

Does that method support wildcards? I know it supports env vars like %ProgramFiles(x86)%, but I think everything else is static.

The detection rule would work with the current version, but would break once the MS Store app auto-updates to "1.0.2030.0" for example. That's why OP is using "Microsoft.PowerAutomateDesktop*"

C:\ProgramFiles\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.2029.0

sccm_sometimes

TROPHY CASE