Jump to content


All Activity

This stream auto-updates

  1. Yesterday
  2. Introduction Since the release of Windows 365 back in July 2021, Microsoft has been busy adding new features and abilities at a dizzying rate and the offering has become a global success story. 5 years have passed since it’s release and they are still adding new features. The latest is a feature called Windows 365 Reserve, but what is it exactly ? According to this page Windows 365 Reserve can be described as: “Your ready-to-use Cloud PC when the unexpected happens. Whether it’s a hardware failure, software issue, cyberattack, or short-term access need, Windows 365 Reserve ensures your workforce stays connected and your business keeps moving forward.” This definitely sounds to me like a disaster recovery type of scenario, when something goes wrong with a users physical laptop or desktop, or if it gets stolen or some other calamity happens to it but don’t confuse it with Microsoft’s dedicated Windows 365 Cross-region Disaster Recovery which is an add-on for Windows 365 Enterprise and Flex as that offers different capabilities to Windows 365 Reserve. Instead, think of this as a short-term Cloud PC access for users that use Physical PC’s but need access to their environment to continue working. What can the user do when a problem occurs ? The user can actually remain productive by using their assigned Windows 365 Reserve Cloud PC for up to 10 days (per year). And how does the user do that ? well if the Intune admin optionally configures Windows 365 Reserve settings to allow the end user to provision their own Reserve Cloud PC then that’s a self service win right there, otherwise the Intune Admin must do the actions on the provisioning policy itself (or use some automation). The caveat is that the user will still need a physical device of some sort to connect to their Windows 365 Reserve Cloud PC, but luckily there are many choices available such as Windows PC, macOS, iOS, Android, Linux via the Windows app or a web browser. Another point that’s worth noting and I’ll return to it a few times in this blog post is that setup of the Windows 365 Reserve Cloud PC’s must be done before any incident occurs so the Cloud PCs are ready for use by the users you target when needed, so not only must you set things up in advance, you also need to decide which users in your fleet are to be protected by this. Prerequisites Looking at these details, you can see there are some prerequisites. Each user requires a Windows 365 Reserve license. Licenses allow up to 10 days of Cloud PC access per year for one user. Users must also have: Windows 11 Enterprise Microsoft Intune Microsoft Entra ID P1 Windows 10 was included in the prerequisites but why even bother as it’s no longer supported except via ESU (Extended Security Updates). Regarding the other license requirements, if you have E3 or E5 then you are good to go. Licensing The licensing is a bit odd, in the admin portal you can see how many licenses are available but cannot assign them, that’s because you use the provisioning policy to actually assign the licenses. Another thing that’s really important here is you must not wait until a disaster happens for the end users you wish to protect with Windows 365 Reserve. Instead, you must add them to a group targeted by the provisioning policy (more of that later) in advance as the actual license assignment happens via that policy and needs to be done at least 7 days prior to usage. This detail is listed in the Windows 365 Reserve FAQ. The more I think about it, the more the word reserve in Windows 365 Reserve makes more sense, as you must reserve the Cloud PC for the user in advance of any issue, not after the effect. Creating the policy In Intune, browse to the Windows 365 provisioning node and create a new provisioning policy, give it a suitable name and select Reserve from the choices as the License type. When it comes to the Assignments step, point it to a previously created group where you’ve added your target users for Windows 365 Reserve. And that’s it. Once the policy is created the Windows 365 Reserve Cloud PC’s will remain in a state of Not Provisioned until you (or the end user, more of that below) take further action. Provisioning Reserve Cloud PCs That action must be taken on the provisioning policy level, after the policy is created, when needed by selecting the Cloud PC users tab. From there you can select one or more users (that are licensed/in the group) and if possible click on the Provision or Deprovision buttons which are greyed out in the screenshot below. Why are those buttons greyed out ? remember that 7 days in advance rule ? well if you haven’t waited 7 days you can’t do anything at this point and you cannot move forward. Pay close attention to the Can be provisioned after column as that’s when things can happen and that’s why preparing your Windows 365 Reserve provisioning policy well in advance of a problem (at least 7 days in advance) is super important. Not only that, but deciding who can avail of this feature is also important, if they are not licensed, and something bad happens, then this won’t help. You cannot assign a Windows 365 Reserve license to a user when the problem occurs and hope that this will help, as you’ll have to wait a full 7 days before provisioning the Cloud PC is even possible. User initiated provisioning As the Intune admin, you can modify the settings to allow end-users to initiate the provisioning of their Windows 365 Reserve Cloud PC via settings, shown here. The setting can be found in Windows app settings (preview) and is called Enable users to to provision new Cloud PC instances. Once enabled and deployed to your Windows 365 Reserve users, they will see a new option in the Windows app called Set up your Cloud PC. Side note, this option even appears in the web browser version of Windows app, shown below on a computer running Linux, via the Brave web browser. Fantastic! Using Reserve Cloud PCs A Windows 365 Reserve Cloud PC is basically the same as the 4vCPU, 16GB ram, 128GB storage SKU we are all familiar with, which is a good all round Cloud PC spec. So provisioning (aside from what I’ve mentioned above) and using one of the them is something that we should all be familiar with. There may be more SKU’s available in the future depending on demand. Summary Windows 365 Reserve is a great way of getting users back up to speed provided that an admin or disaster recovery team (business continuity) has already done the ground work well in advance of an ‘issue’ actually happening. In other words, the admin needs to be proactive, not reactive. In the real-world unfortunately there will be lots of reactive admins that want to give their users a Windows 365 Reserve Cloud PC, but cannot because they didn’t add the user to the assigned group(s) in time. I even asked Copilot the following question From an Intune admin perspective, would you say that most admins are proactive or reactive ? and below is the result. There are problems with the implementation that I’d like Microsoft to resolve and I wish I had been involved with a private preview of this feature. First of all, I’d suggest to remove the 7 days wait, that’s just a blocker in my opinion at least for those 60-70% of reactive admins mentioned earlier. If you even look at the common scenarios that this service is supposed to help with (according to Microsoft’s own documentation): Based on those Common scenarios, imaging you license only some of your users for Windows 365 Reserve, and let’s imagine that you are impacted by an outage or cyber incident and an entire team of users cannot work because they weren’t licensed for Windows 365 Reserve 7 days previously, then you have a problem that this cannot solve. I’d strongly recommend you read the FAQ, it’s very detailed! Aside from that, I really like the ability to offer the provisioning of the Reserve Cloud PC to the end user via the Windows app setting, that’s a bonus. And for disaster recovery teams that are proactive rather than reactive, this can be a win as the license fee is decent for what you get. Thanks Microsoft for letting me try it out!
  3. Last week
  4. well if you went with Intune management and Windows Autopatch then you wouldn't have to worry about that as it would take care of patching (clients) and the patch compliance. But you are still on-prem and not yet looking into Cloud management. Is anything blocking you from moving to all cloud or some cloud ?
  5. my goal is better and easier to deploy Windows Clients and Server monthly updates. SCCM and WSUS does work always not fine, there are sometimes more issues My SCCM is on Prem with WSUS
  6. what is your actual goal here ? what are you trying to accomplish ?
  7. Hi, I have followed your link. It means my AD goes to the Azure Cloud. I dont want it. Is there other way without AD Azure Cloud?
  8. Cloud attach gives you more possibilities, you really should check out our series on the subject below, sure things/versions have changed but the concept remains the same Cloud attach - Endpoint Managers silver lining – part 1 Configuring Azure AD connect Cloud attach - Endpoint Managers silver lining – part 2 Prepare for a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining – part 3 Creating a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining – part 4 Enabling co-management Cloud attach - Endpoint Managers silver lining – part 5 Enabling compliance policies workload Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach Cloud attach - Endpoint Managers silver lining - part 9 renewing expiring certificates Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach
  9. Hi, I am using SCCM version 2603 on Prem and want to know what is more value to enable Cloud Attach on the SCCM Server. - Does it mean my SCCM on Prem is now in the Cloud? - Could I deploy better Windows Clients and Server Updates? - Does it publish my Collections or my data or application in the Cloud? - Is publish any Windows Clients or Server Data in the Cloud? Regards
  10. Earlier
  11. Introduction I was browsing Twitter when I came across this post by well known Microsoft Senior Program Manager, Per Larsen. I clicked on the learn.microsoft.com link and saw the following info. Image with Developer Configuration (preview): This image provides a consistent, ready-to-use developer environment by preinstalling essential development tools and applying the required configurations across Windows and WSL Ubuntu. This image is available for Windows 365 Enterprise and Windows 365 Flex Dedicated mode. By standardizing the image with the necessary tooling and setup, this approach reduces onboarding time, minimizes manual configuration, and ensures a reliable and productive developer experience from first sign-in. There is more info about what’s included in the link, but it intrigued me enough to want to try it. For those that don’t know there are two types of images in Windows 365, Gallery and custom. Custom images are those you create yourself and upload to Intune for use with your provisioning policies, and Gallery images are pre-defined images created by Microsoft. But why would people be interested in this new release ? well the time to setup any computer let alone a Cloud PC with all these developer tools available and at the right version takes time and effort. Development using those preinstalled tools also takes time, so anything that can speed up and automate that process is a win. Also, if you are targeting a team of developers with this image you know they are all starting from the same set of tools and settings so you are getting consistency. Using the new gallery image I decided to try it out. If you want to test it out too all you have to do is create a new provisioning policy and select the Image with Developer Configuration (preview) from the options or edit an existing policy (with the same Gallery image change) and reprovision one or more devices targeted by that policy. I went with the latter option and modified an already existing Windows 365 Enterprise policy. After applying the changes to your existing provisioning policy, simply reprovision a target Cloud PC (2vCPU is NOT supported and GPU is NOT supported) and wait until it’s ready. Below you can see the edited provisioning policy with the Gallery image applied. And my Cloud PC is busy getting provisioned with the new Gallery image. After a while provisioning is complete and you’ll see the correct Gallery image listed. Looking at the developer features Once provisioning is complete, login to the newly deployed Cloud PC to review what’s there in the box. The image includes: Windows configuration and settings via registry. Desktop configuration settings File Explorer settings Taskbar settings Search and Start settings Service/features settings Developer tools installation, including PowerShell 7, Visual Studio Code (with extensions ms-vscode.powershell, ms-python.python, ms-vscode-remote.remote-wsl, github.vscode-pull-request-github, ms-edgedevtools.vscode-edge-devtools, and mspythondeprem.python-dependency-remediation), PowerToys, Python, Node.js, npm, nvm, git, GitHub, GitHub Copilot CLI (with Work IQ and Windows Dev Skills), Oh My Posh, UV tools, Azure CLI, .NET Runtime, .NET SDK, and WinApp CLI. Install and set up Windows Subsystem for Linux (WSL) with a WSL Ubuntu A bash script to configure the user environment in WSL Ubuntu Installation of the same developer tools within the WSL environment If an uninstall of the 3rd-party dev tools is desired, this script can be used to uninstall them. Below you can see some screenshots of what I found on this developer Gallery image. Initial login, nice dark theme, prompting you to login to your account. The start menu has a Developer Tools category which contains Git, Terminal and Visual Studio Code. And the Other category…why the Weather widget and Microsoft News, and the Microsoft Intune Management extension are listed is anyones guess, but it would make sense to move all the other stuff to the Developer Tools category. What’s installed.. The Github Copilot terminal greeting you is waiting for your input, so go ahead and use it. You can decide to trust the source folder in your usernames path, and then /login to your Github account using the terminal (which will in turn launch Edge to complete the action). After that you can optionally connect Copilot and add a subscription or use the free version. Running wsl –status reveals the Windows Subsystem for Linux installation. Cool! Summary This is actually a great release, having the ability to quickly spin up Windows 365 Cloud PC’s with Microsoft developer tools built-in is very nice indeed and means you as the Intune admin can target your developer teams with Cloud PC’s that provide them with the tools to do the job. If the team behind this could just spruce up the start menu categories to be more accurate, that would be nice, but from first looks, this is really a step in the right direction for getting your developers coding quickly.
  12. The most likely root cause is the ADR is not successfully completing its content download phase. The automatic schedule issue and the empty deployment package source point toward an ADR execution or deployment package problem rather than a Software Center problem. I'd start with: ruleengine.log patchdownloader.log wsyncmgr.log Those three logs will usually reveal exactly why the ADR isn't behaving as expected. If you can post the ADR screenshots and relevant ruleengine.log entries from the Patch Tuesday run, the root cause can usually be identified very quickly.
  13. Hi, I have created an ADR for monthly Windows 11 Update and have select the following settings: Evolution Schedule: Monthly the second Tuesday My Questions about: Evolution Schedule: base of my settings, it should be run every the second Tuesday of month automatically, but it does not. I have to run it as manually. Any Idea why? Deployment Schedule: base of my setting, it should be run 7 days after the second Tuesday of month and should available on the Software Center. But every time I have to set it "as soon as Possible" and after that it downloaded the content. Should be not run automatically and download the content? Download Setting: My ADR was enabled and it downloaded no Content and the Package Source of the Deployments was empty. I saw many clients has downloaded the Content and install it, the Update was not available on the software center. Could you tell my why and Where did my updates download from? is that setting the reason? If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates. Thank you for help
  14. Acknowledged. I will abide by this. Please PM a download link, and I will have it preserved only for own personal use.
  15. it's licensed software so cannot be uploaded to any internet archive sadly.
  16. @anyweb And yes, I'm also here to request a copy of such aforementioned SCCM 2007 & 2012 install support files. And additionally, I request a concent for uploading them onto the Internet Archive, so everyone from now on can access the file without sending you a request.
  17. Retro computing is a fun and archeology. Preserving legacy software is a method to let us not to lose memories on technology history and evolutions. It would be a loss to watch let them die out in time. And there do are actual usages when commercial maintenance for legacy systems is needed. We well know that running unsupported legacy systems is dangerous, and will only do this on VMs or dedicated offline hardwares for pure non-commercial proposes. That's also why the Internet Archive and the Computer History Museum (Mountain View, CA) are created. MS (and many other software vendors) should preserve their support & download resources for legacy softwares, at least throw them onto dedicated archive sites or work with 3rd party organizations, instead of violently delete them from their servers and only make them accessible to internal staffers. Of course it's on their own discretion.
  18. a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; } here's the full reply from my chat with Copilot, you should try it too Short answer: yes — your boundary configuration is very likely the issue. Using only Active Directory Site boundaries can absolutely cause exactly what you’re seeing: Clients resolve a boundary But don’t get a valid DP or fallback DP assignment Result = updates sit at 0% downloading ✅ Why this is happening SCCM content download (including updates) depends on: Client is inside a boundary That boundary is part of a boundary group That boundary group has a Distribution Point (DP) assigned With AD Site boundaries only, problems occur when: AD Sites are not accurately mapped to IP subnets (very common) Clients’ IP ranges are not tied to the correct AD site Subnet definitions in AD are missing or incorrect 👉 Result: Clients may: Fall into no boundary Fall into a boundary group without content locations Try to download from a DP they cannot reach Sit at 0% downloading indefinitely 🔍 Your specific situation Your IP ranges: 192.168.0.0 172.20.0.0 172.10.0.0 172.40.0.0 But you're using: ✅ Active Directory Site only 🚨 Problem Unless all these IP ranges are properly mapped in Active Directory Sites and Services, SCCM cannot correctly assign clients. This is extremely common in environments where: Networks expanded over time AD Sites weren't kept updated Multiple IP ranges exist in one logical site ✅ Recommended Fix (Best Practice) ✔️ 1. Add IP Range Boundaries Yes — you should absolutely create IP Range boundaries for each of your ranges. Example: Boundary Type Range IP Range 192.168.0.1 – 192.168.0.254 IP Range 172.20.0.1 – 172.20.0.254 IP Range 172.10.0.1 – 172.10.0.254 IP Range 172.40.0.1 – 172.40.0.254 👉 Adjust ranges appropriately to your subnet masks. ✔️ 2. Add them to the correct Boundary Groups Put all new IP range boundaries into your existing boundary groups Ensure each boundary group: ✅ Has a DP assigned ✅ Has site assignment enabled (if needed) ✔️ 3. Leave AD Site boundaries (optional) You can keep them, but: 👉 Best practice: Use IP range boundaries as primary Use AD Site boundaries only if you trust their accuracy 🔧 Additional things to check ✅ Check Boundary Group settings Verify: DP is assigned: Administration → Hierarchy Configuration → Boundary Groups Under References tab: ✅ Distribution Points listed ✅ "Use this boundary group for site assignment" if applicable ✅ Check fallback configuration If clients are failing to find content: Enable fallback (optional, but helpful) Configure: Neighbor boundary group relationships Fallback time (e.g., 20–60 minutes) ✅ Verify client logs On one affected machine, check: LocationServices.log Look for: Boundary detection Assigned boundary group DP location requests ContentTransferManager.log Look for: Stuck download attempts CAS.log Look for: Content location failures DataTransferService.log Look for: BITS download issues 🧪 Quick validation test On a problem client: Run: PowerShell ipconfig Show more lines Then check: PowerShell nltest /dsgetsite Show more lines 👉 Compare the AD Site vs actual IP If: IP doesn’t match AD Site mapping → confirmed root cause ✅ Expected result after fix Once IP boundaries are added: Clients correctly map to boundary groups SCCM returns valid DP locations Updates move from: 0% downloading → downloading → installing 💡 Pro Tips (real-world SCCM guidance) ✅ IP ranges are the most reliable boundary type ❌ AD Sites are often neglected → unreliable ✅ Always verify with logs, not assumptions ✅ If “0% downloading” appears → it's almost always boundary/content location ✅ Final Answer Yes — relying only on Active Directory Site boundaries is very likely causing your issue. 👉 You should: Add IP range boundaries for all your networks Associate them with your boundary groups Ensure DPs are correctly assigned
  19. Hi Anyweb, First question What do you mean with best practice? Use IP range boundaries as primary Do you mean I have to change from Active Directory site to IP RANGE? Can I edit the Active Directory site to to IP RANGE? I created 4 new Boundary with IP Range and add them to the existing Boundary Group( I have only one), Now my Boundary Group show me 4 Members. My default Boundary was Active Directory site and I added 3 new IP RANGE Boundary and the "References" Is there any more steps I have to do?
  20. a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; } from Copilot. 1. Add IP Range Boundaries Yes — you should absolutely create IP Range boundaries for each of your ranges. Example: Boundary Type Range IP Range 192.168.0.1 – 192.168.0.254 IP Range 172.20.0.1 – 172.20.0.254 IP Range 172.10.0.1 – 172.10.0.254 IP Range 172.40.0.1 – 172.40.0.254 👉 Adjust ranges appropriately to your subnet masks. ✔️ 2. Add them to the correct Boundary Groups Put all new IP range boundaries into your existing boundary groups Ensure each boundary group: ✅ Has a DP assigned ✅ Has site assignment enabled (if needed) ✔️ 3. Leave AD Site boundaries (optional) You can keep them, but: 👉 Best practice: Use IP range boundaries as primary Use AD Site boundaries only if you trust their accuracy
  21. I'm in the process of deploying windows updates to Windows Clients (Windows 11 build 25H2) Windows servers(2019,2022,2025) in my environment with SCCM and ADRs and most of the client computers have installed updates just fine however around 50 or so client computers are not installing updates and the updates are not getting downloaded. When I click to install updates it just stays stuck at 0% downloading and never installs until eventually it times out My Boundary and Boundary Groups the updates have been distributed to the DP servers. The boundaries are configured to include the clients in the scope. All of my boundary groups are set up with the Active Directory site only. We have the following IP Range 192.168.0.0, 172.20.0.0, 172.10.0.0. 172.40.0.0 But I set my My Boundary and Boundary Groups with the Active Directory site only. Is that the my issue? Should/Could I create or add some new Boundary with IP address Range(what we have see above IP Range) additionally to my Active Directory site? Could you please help me? Regards
  22. Introduction I’m sure by now that we are all aware of the coming changes to Secure boot certificates as documented by Microsoft here. To cut a long story short, when Secure Boot was introduced by Microsoft back in 2011 or so, they secured it with some default certificates which are set to expire in June 2026. Secure boot checks the bootloader and verifies it’s digital signature, if it’s trusted it allows it to run, otherwise it blocks it, which is a good way of blocking rootkits, bootkits and other low-level firmware attacks. Historically speaking Secure boot became part of UEFI 2.0 specification in January 2006, but Microsoft started rolling it out in 2011 including distributing the first Secure Boot signing certificates in 2011. These were later released to mainstream computers with the release of Windows 8 in October, 2012 where Microsoft required OEMs (Original Equipment Manufacturers) to enable Secure boot and ship systems with UEFI mode enabled. The original 2011 secure boot certificates were designed with a 15 year lifecycle, and in 2023 Microsoft introduced new 2023 certificate authorities. So here we are, all those years later, updating the bios (firmware) of modern laptops and desktops to ensure that they are capable of updating/supporting the new certificates prior to them expiring. There are plenty of good blog posts out there today showing you how to best deal with the Secure Boot certificate problem, but they are really focusing on supported, modern hardware, below are some examples. https://blog.mindcore.dk/2026/04/secure-boot-certificate-update-intune/ https://joymalya.com/intune-secure-boot-2023-certificate-update-rollout-part-1/ https://pureinfotech.com/windows-11-secure-boot-certificates-expiring-june-2026/ https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235#community-4469235-_option2 What about older hardware ? But where does that leave older hardware that does support UEFI and secure boot, and should they be turned off/disposed of ? Security experts would most likely say yes to the latter question as they’d be wide open to rootkits/bootkits which is a painful reality when you consider the cost of new computers today thanks to the AI boom. I’m actually writing this article on an old Lenovo T570, which technically is old, it was released in 2017, but has been updated with Windows 11 25H2, and 32GB ram. It’s not the snappiest but it works fine for what I need. I looked at Microsoft Intune’s infamous secure boot status report and it showed me lots of red x’s for my older hardware even though I was already pushing out remediation scripts in my Intune lab to deal with the Secure boot certificates expiry mess. The following were looking sad: Lenovo T570 Dell Optiplex 9020 Microsoft Surface Pro 2 You can access this report in the Intune console by clicking on Reports, Windows Autopatch, Windows quality updates, Reports, and finally selecting the secure boot status report. You can see the details of the report that I ran below, the green arrow shows my Lenovo T570 is not up to date for any of the 4 certificates listed in the report. So I posted a tweet on Twitter (yeah, that’s what I call it) and got some instant feedback, which is the reason for this blog post. In the screenshot below you can see when the bios was last updated on my Lenovo (2024). Fellow MVP, Mike Terrill responded with some great advice. You should still be able to push the certs into the active db. However, the default db wouldn’t get the updated certs. If you did a factory restore of the bios, then the active ones would be replaced and need to be installed again. And he included some Powershell examples from his talk at MMS. I’m including his Powershell code below. All credit to Mike Terill and Gary Blok (I believe). $SecureBootRegPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot' New-ItemProperty -path $SecureBootRegPath -name "AvailableUpdates" -PropertyType dword -Value 0x1844 -Force Start-ScheduledTask -taskname '\Microsoft\Windows\PI\Secure-Boot-Update' #verify get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject So basically I ran the code above on my Lenovo T570 (from an elevated prompt) and the results were interesting. Below we add a reg key and trigger a scheduled task. The registry value tells Windows to deploy all available certificate updates as documented here and/or here (thanks Jon). and reveal the certificate status after a reboot To my joy, the following day the secure boot status report looked much much better for my Lenovo. Success! thanks Mike! I also got info from another Twitter user and he advised me to look here for some additional advice for patching older systems. https://www.elevenforum.com/t/garlins-powershell-scripts-for-updating-secure-boot-ca-2023.43423/ I did of course try the same method on some other old computers (Microsoft Surface Pro 2, Dell Optiplex 9020) and while it had some success with some of the certs, it couldn’t update the Microsoft Corporation KEK 2K CA 2023 certificate. According to Copilot this was because the firmware on the Dell and Surface, was just too old. Perhaps, perhaps. But then why did my Surface Book 2, which has a firmware (bios) date of wait for it, 2015 update all of the 4 certificates without any issue. That remains to be seen. I’ll update this blog post as I learn more, I definitely don’t want to ‘trash’ some old computers just because their secure boot certificates can’t get updated, worst case scenario I’ll convert them to Linux. On My Surface Pro 2 it updates 3 out of 4, the 4th being the missing KEK certificate, just like on the Dell. Looking in the SYSTEM event viewer, Event ID 1803 is showing every time I trigger the scheduled task from the Powershell script. That links me to this: Understanding Secure Boot Events 1802 and 1803 – Microsoft Support Learn more Finally, if you want to learn more aboute this subject (better late than never) take a look at this Patch My PC webinar, or Johan Arwidmarks free training on the subject: https://patchmypc.com/events/secure-boot-2026-are-you-actually-covered/ https://academy.viamonstra.com/courses/mini-course-secure-boot-2026 Summary Windows Autopatch on it’s own is not enough for getting these systems up-to-date with regards to the Secure boot certificate expiry. There are remediation scripts which definetly help, but they are mostly aimed at modern hardware. Thankfully, you can update some older hardware by using the example script above, either manually or push it out via Intune/ConfigMgr after you have of course ensured that the bios version is the latest available and that Windows is up-to-date. Thanks again to Mike, the beer is on me at MMS in October
  23. contact me on Teams, and i'll see if i have some time > niall@windowsnoob.com
  24. Hi, my SCCM Server does not work fine like before many years. I want to building a new SCCM server from scratch can I still use the old container (called System Management) and delegate control by adding the new server without necessarily extending the AD schema? Could I let running it the old SCCM server and install a new one fresh instillation of SCCM Server? Regards Nick
  25. Hi Nail, I have a big issue with ADRs on the SCCM with monthly Windows updates. On the client machine the download does not work or stucking by 0% or waiting for install. I'm really desperate, do have time for a remote session? Thank you Nick
  26. pros versus cons means what is positive about the solution (pros) and what is negative about it (cons)
  27. Hi, I have created some ADRs for Windows Server and Clients Updates with following settings Software Updates Deployment Schedule If I understand this option correctly, it should run automatically after 7 Days and deploy it to Distribution Server Evaluation Schedule, every month on second Tuesday Could you tell me please why it is not running automatically evey month? What is here wrong? Thank you Regards
  1. Load more activity
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.