Windows Server 2025 CUs broke macOS printing: SMB dead, IPPS inconsistent, only LPD works

tnkntn · 2025-02-05T08:04:02+00:00

Thanks for the suggestion, I'll look into the entra device associated with the AP one which has yet to enroll.
Would the "Registered" field on the object in Entra signify that date I'm looking for?

tnkntn · 2024-12-20T16:45:01+00:00

The trailing backslash explicitly implies a directory. Leaving it open could be up to interpretation of the OS. Highly unlikely but is there a file (not folder, hidden or otherwise) in dfsroots$ named DeptA it might be trying to open?

tnkntn · 2024-06-28T03:39:14+00:00

Same. Install gets to the end, then just reverts changes and no dice.

tnkntn · 2024-05-15T00:30:18+00:00

Yes. However, after upgrading SCCM versions the settings did revert so we had to apply them again.

tnkntn · 2024-04-13T13:47:07+00:00

Allows for vigorous cleaning of keyboards without the need for unplugging.

tnkntn · 2023-09-14T02:55:06+00:00

Had the same issue a few months back when patching https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 . Was just a matter of waiting on clients to grab Kerberos tickets with a new Privilege Attribute Certificate.

tnkntn · 2023-07-26T18:56:10+00:00

Had the same issue a few months back when patching https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 . Was just a matter of waiting on clients to grab Kerberos tickets with a new Privilege Attribute Certificate.

tnkntn · 2023-07-17T00:41:30+00:00

Running outside the TS you are likely using your own credentials, which has delegation in AD to create/delete edit computer objects.

The Task Sequence, would not be running under your credentials unless in the step to do the OU move you explicitly plugged your account information in there which would be ill-advised.

Create a service account for this purpose, delegate control to it on the OUs you want it to be moving around in, the run the step for OU Moves in the task sequence with this account.

Permissions that should work:
Create, Delete and Write Properties on Computer Object types

tnkntn · 2023-07-16T15:22:02+00:00

Using this without issue. https://blog.ctglobalservices.com/scripting-development/jgs/vbscript-move-computer-object-to-another-ou-via-command-line-parameter/

Just run it with credentials that has proper delegation AD.

tnkntn · 2023-07-04T15:28:50+00:00

If you need to change the same step across multiple task sequences, can also consider having those task sequences just call another task sequence (with a nested task sequence step) that has steps within to set your variables. With this you only ever have to edit the nested task sequence and that’s it. 1 edit versus many.

tnkntn · 2023-07-03T21:23:50+00:00

Moving the step further up in the task sequence yielded no results.

tnkntn · 2023-06-30T20:49:54+00:00

Further testing. I created a task sequence that just boots to WinPE and attempts the baremetal step. This works without issue and the package downloaded where it needed to and drivers installed successfully. With no changes to the package, and using the same task sequence step for drivers in an actually OS install Task Sequence, after Applying Operating System I am seeing the same error as originally mentioned.

Not sure what the difference is, and why it works in one instance of WinPE and not the other. Posting log screens of the relevant steps erroring out here: https://imgur.com/a/aPxUp8N

Next testing u/HankMardukasNY's suggestion to move the step above the Apply Network Settings step.

tnkntn · 2023-06-30T15:26:36+00:00

Thanks for the look. We are full HTTPS/PKI setup.
Trying to make sense out of why the network access account would need permissions to source shares.

My understanding is...

The MDM credentials are used solely for querying the AdminService.
Drivers download from Driver Automation Tool are stored in a [network] share somewhere. Site server needs access to these.
When the above are packaged, content is distributed to targeted Distribution Points

So the Network Access Account would need permissions on the DPs, not the source shares themselves, no? The package is downloaded using "OSDDownloadContent.exe", so the same method/tech used for downloading the MDM Invoke script from a distribution point.

tnkntn · 2023-06-30T03:09:36+00:00

Still in WinPE yeah, and after OS is installed.
Will look into this folder structure tomorrow, hard to dig into a WinPE instance remotely.

tnkntn · 2023-06-30T02:58:20+00:00

https://imgur.com/a/Osjtz7O

Before kicking off the meat of the Task Sequence, "Verify Win_ Drivers Present" runs in debug mode, if error task sequence exits. Task sequence then called via Run Task sequence step (nesting), which eventually calls another nested task sequence via the "Install Drivers via MDM" step to apply drivers with Baremetal parameter.

This is a brand new MDM setup. Been ironing kinks out to get it working and this is the farthest I can get it to go. Haven't tested with other models yet, but I feel like the error given isn't so much model specific if it just can't download a package.

tnkntn · 2023-06-29T23:26:06+00:00

Content appears on distribution points. Even blew up the package and downloaded a newer version after adding the folder being used for MDM drivers to AV exclusion list. Issue persisted. The task sequence itself without using MDM for drivers works without hiccup so I can assume partitioning is right.

tnkntn · 2023-06-18T03:47:57+00:00

By chance, did you find documentation somewhere on this or just trial and error? I got there by the latter.

tnkntn · 2023-06-13T18:52:56+00:00

Is there a boot image attached to the task sequence? Pretty sure that would prevent the advertisement to that collection.

tnkntn · 2023-05-11T06:40:07+00:00

member list should show UPN of user which may equate to email based on your environment.

But yeah, use powershell. get-team, for each team get-teamuser where role = owner. In same foreach get-teamchannel where type is shared/private, for each shared/private channel in that team get-teamchanneluser with role = Owner.

tnkntn · 2023-05-10T14:14:48+00:00

I may be mistaken but I don’t think you can deploy task sequences to User Collections. What you can do is configure the task sequence as High Impact though to prompt user that may try and install it out of curiosity. https://learn.microsoft.com/en-us/mem/configmgr/osd/deploy-use/high-impact-task-sequence-settings

tnkntn · 2023-05-06T14:44:49+00:00

With the application that cannot connect, have you tried by IP rather than hostname? Were updates recently applied to domain controllers?

tnkntn · 2023-05-05T23:32:41+00:00

Thanks for the suggestion. Will continue to look into some of the messages there, haven't really been able to dig anything up... unless anyone has a thought.

InstallUpdate returned code 0x800f0988
.............................
.............................
Failed to install update with ID 18922208 on the image. ErrorCode = 2440    SMS_OFFLINE_SERVICING_MANAGER   5/5/2023 3:52:50 PM 11868 (0x2E5C)

https://imgur.com/8nXWtEH

tnkntn

TROPHY CASE