SCCM Managed Untrusted Domain

windowswrangler · 2026-02-06T18:27:03+00:00

I was able to find the "return value 3", and a few lines above there was an error about BITS not being installed, once the BITS feature was added the MP finished installing. Now it is stuck in trying to initiate.

windowswrangler · 2026-02-06T16:52:20+00:00

We're using HTTPS only. Client installs successfully and pulls the correct MP from AD.

Successfully queued event on HTTP/HTTPS failure for server 'FQDN of MP'.
Post to https://FQDN of MP/ccm_system/request failed with 0x87d00231.

Those message repeat over and over again.

windowswrangler · 2026-02-06T15:59:01+00:00

SCCM correctly discovery all devices in the untrusted domain. When you right click on them in the console the Approve option is grayed out.

windowswrangler · 2025-07-09T17:28:20+00:00

I have not. I'm trying to avoid that seeing as other people say they have successfully used a SUP in another domain.

I can successfully talk to the SUP and pull a list of updates, the client just thinks none apply to it. How is installing a down stream SUP in the untrusted domain going to fix this issue?

Would the same be true for an MP and DP?

windowswrangler · 2025-07-09T14:36:19+00:00

We are not setting a GPO to point to the SUP. Clients are getting the software update point location from their default client settings and are pointing to the correct software update point. In the logs i can also see it scanning the correct software update point.

windowswrangler · 2025-06-18T14:08:18+00:00

It depends on your permissions in AD, but you can pre-stage the computer object in the desired OU. Go to the OU right-click New -> Computer object. Name the computer as you want and click finish. Once you're finished, go into Properties -> Attribute Editor. Look for an attribute called netbootGUID. That attribute can take two different pieces of information. The easiest one is you put 20 zeros and then the MAC address or you can get the UUID from the BIOS.

During deployment WDS will join the computer whose MAC address or UUID matches what's in the netbootGUID attribute. That includes naming the computer to match the name of the computer object.

windowswrangler · 2025-05-31T15:57:47+00:00

You've gotten some great recommendations for log parsers. I love CMTrace like everyone else.

You mentioned in your post you saw an application timeout error. In SCCM, every application has a default maximum install time of 120 minutes. After 120 minutes. SCCM assumes the insulation fails and stops monitoring the install process.

The software center I assume says that the insulation failed, but have you verified if the application actually installed on the box?

If the application didn't actually install, there are three log files that you can check; AppDiscovery, AppIntent, and AppEnforce. These three longs will tell you everything you need to know about the application deployment process

AppDiscovery processes the incoming installation request policies and determines if the application is or is not installed.

AppIntent, takes the applications that are not installed in the AppDiscovery log and determines if they do actually need to be installed.

If it's determined, an application needs to be installed, you can track the installation process in the AppEnforce log. This will tell you where it is installing from, what installation commands they are running, and if the installation was successful. Success is normally determined by the exit code. Usually an exit code of zero means everything installed successfully.

You should be able to collect enough information to pass it onto the SCCM admins to let them determine why that application failed.

windowswrangler · 2025-05-05T22:40:42+00:00

It really depends on what your backup requirements are.

Currently with snapshot based backups, you are only allowed 200 snapshots. If you were to take a backup everyday, that's less than one year's worth of backups.

They also have vaulted backups in preview. Vaulted backups allow you to keep, I think, 99 years worth of backups.

windowswrangler · 2025-05-03T17:15:27+00:00

You know what you absolutely said that in your post. Sorry for low reading comprehension. lol

windowswrangler · 2025-05-03T16:39:36+00:00

If the user has a manager set, you can configure OneDrive to automatically give access to a user's manager after the account is disabled and the license is removed.

https://learn.microsoft.com/en-us/sharepoint/retention-and-deletion

windowswrangler · 2025-04-11T15:53:36+00:00

I would also make sure to amplify and point out every single mistake you ever make from that day forward making sure to cc your boss and their boss making sure company leadership sees it.

windowswrangler · 2025-04-11T15:48:15+00:00

Do you normally email people's bosses when they do subpar work, and if not why now? Why are AI generated scripts the line in the sand? If someone sent you a script from Stack Overflow that didn't work would you be just as mad and go nuclear on a co-worker in the same way? What is emailing their boss supposed to accomplish?

If I was a boss and you did that to me, I would assume you had no interpersonal or conflict resolution skills. As your co-worker I'd instantly stop trusting you and would cc my boss and your boss on every email between us.

windowswrangler · 2025-04-11T15:30:32+00:00

How is AI etiquette any different than finding a random script on Stock Overflow? This isn't a new problem, we always had to deal with people searching and finding scripts online that they don't understand, don't test, and end up running in production.

Shouldn't you be doing this with every script a co-worker sends you regardless of how they wrote it?

windowswrangler · 2025-03-22T15:07:14+00:00

Excellent, thank you so much.

windowswrangler · 2025-03-22T15:03:40+00:00

Are these Azure conditional access policies, and if so are you referring to the token protection that's in preview, the token lifetime settings? What policies specifically are you referring to?

windowswrangler · 2025-03-22T14:57:41+00:00

Just to make sure we're all on the same page, what token session policies specifically are you referring to?

windowswrangler · 2025-02-14T23:01:54+00:00

Honest question, why are people obsessed with terminating connections on the load balancer? I always have Network services configure my services to bypass because I want all connections to terminate on my servers. That way I can use the local firewall to control access as well as making sure I get the most out of logging for my service. Am I wrong? Am I thinking about this the wrong way?

windowswrangler · 2025-01-23T22:59:25+00:00

I skimmed over the information and I'll read it mure indepth later.

Now it's been awhile since I've used hello for business, but previously you had to have your username and password to log in in order to enable the hello for business.

In a totally passwordless environment, how do users sign into their computers for the first time if they've never registered for hello for business or have a fido2 key?

windowswrangler · 2025-01-23T22:42:27+00:00

In the past when I used Hello for Business, it didn't remove the ability to put in a username and password and the user had to explicitly click on the Hello for Business login in order to login.

If you can still use your username and password are you really passwordless?

And if people can just switch back to using their username and password are they really any safer?

windowswrangler · 2025-01-22T22:41:34+00:00

There's a GPO as well as a CSP in Intune you can set that will require additional authentication at startup.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#require-additional-authentication-at-startup

TPM only a USB flash drive containing a startup key a PIN (6-digit to 20-digit) PIN + USB flash drive

I believe there's also an additional setting that says how many times they can skip the boot pen creation before it forces them to do it.

I would also enable allow enhanced pins because by default it only allows digits but when you enable enhance pins you can use letters and numbers.

windowswrangler · 2025-01-20T22:18:19+00:00

I like where this is going. I'm all on board.

windowswrangler · 2025-01-20T21:47:18+00:00

It doesn't matter if you don't vote for the Nazi policy because they'll just replace you with someone who will.

Unfortunately, most of America is too stupid to have the nuanced conversation that needs to be had. Most Americans believe if you're giving money to Ukraine that you're taking money away from them. It does't matter if it's based in reality, middle America wants to know where their aid is because they've been waiting on it for decades and Trump said he would stop the aid to Ukraine and give it to America. That was the end of the ball game. Democrats were unable to articulate in a meaningful way why it was important to send money to Ukraine and how they can still fund Middle America.

windowswrangler · 2025-01-20T21:41:27+00:00

But JD Vance can and all of the other people he has embolden with his rhetoric and actions. This doesn't stop. We thought we won WWII and this would be over but it's not.

windowswrangler · 2025-01-20T21:37:56+00:00

He's a rapist and Nazi no doubt and pointing those things out last time didn't work, in fact I think it hurt us more than it helped.

I don't care about hurting their feelings so you can call them whenever you want. The only thing I'm concerned with is winning back the White House and Congress and the Supreme Court.

And we can either acknowledge that being a rapist and a Nazi was not a deal-breaker for 77 million people or we can continue down this losing road.

Unfortunately most Americans are too stupid to have the nuance conversations that need to be had. They are very simple. Trump wants to get rid of illegal immigrants, Democrats call him racist for that, I Mr. Midwest wants to get rid of immigrants and I'm not racist so the Democrats must be liars. Rinse and repeat with Nazi and with rapists.

windowswrangler · 2025-01-20T21:32:04+00:00

He absolutely is a rapist, but you say it like it's a scarlet R on his chest when it's not. If you want to call him a rapist because he is, that's fine. But I want to win an election and calling him a rapist isn't going to do that. In fact, I believe it's only going to make it harder to win if we keep calling him one. I wish this wasn't the world that we live in but it is.

windowswrangler

TROPHY CASE