Jump to content


All Activity

This stream auto-updates

  1. Today
  2. my goal is better and easier to deploy Windows Clients and Server monthly updates. SCCM and WSUS does work always not fine, there are sometimes more issues My SCCM is on Prem with WSUS
  3. what is your actual goal here ? what are you trying to accomplish ?
  4. Hi, I have followed your link. It means my AD goes to the Azure Cloud. I dont want it. Is there other way without AD Azure Cloud?
  5. Yesterday
  6. Cloud attach gives you more possibilities, you really should check out our series on the subject below, sure things/versions have changed but the concept remains the same Cloud attach - Endpoint Managers silver lining – part 1 Configuring Azure AD connect Cloud attach - Endpoint Managers silver lining – part 2 Prepare for a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining – part 3 Creating a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining – part 4 Enabling co-management Cloud attach - Endpoint Managers silver lining – part 5 Enabling compliance policies workload Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach Cloud attach - Endpoint Managers silver lining - part 9 renewing expiring certificates Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach
  7. Hi, I am using SCCM version 2603 on Prem and want to know what is more value to enable Cloud Attach on the SCCM Server. - Does it mean my SCCM on Prem is now in the Cloud? - Could I deploy better Windows Clients and Server Updates? - Does it publish my Collections or my data or application in the Cloud? - Is publish any Windows Clients or Server Data in the Cloud? Regards
  8. Last week
  9. Introduction I was browsing Twitter when I came across this post by well known Microsoft Senior Program Manager, Per Larsen. I clicked on the learn.microsoft.com link and saw the following info. Image with Developer Configuration (preview): This image provides a consistent, ready-to-use developer environment by preinstalling essential development tools and applying the required configurations across Windows and WSL Ubuntu. This image is available for Windows 365 Enterprise and Windows 365 Flex Dedicated mode. By standardizing the image with the necessary tooling and setup, this approach reduces onboarding time, minimizes manual configuration, and ensures a reliable and productive developer experience from first sign-in. There is more info about what’s included in the link, but it intrigued me enough to want to try it. For those that don’t know there are two types of images in Windows 365, Gallery and custom. Custom images are those you create yourself and upload to Intune for use with your provisioning policies, and Gallery images are pre-defined images created by Microsoft. But why would people be interested in this new release ? well the time to setup any computer let alone a Cloud PC with all these developer tools available and at the right version takes time and effort. Development using those preinstalled tools also takes time, so anything that can speed up and automate that process is a win. Also, if you are targeting a team of developers with this image you know they are all starting from the same set of tools and settings so you are getting consistency. Using the new gallery image I decided to try it out. If you want to test it out too all you have to do is create a new provisioning policy and select the Image with Developer Configuration (preview) from the options or edit an existing policy (with the same Gallery image change) and reprovision one or more devices targeted by that policy. I went with the latter option and modified an already existing Windows 365 Enterprise policy. After applying the changes to your existing provisioning policy, simply reprovision a target Cloud PC (2vCPU is NOT supported and GPU is NOT supported) and wait until it’s ready. Below you can see the edited provisioning policy with the Gallery image applied. And my Cloud PC is busy getting provisioned with the new Gallery image. After a while provisioning is complete and you’ll see the correct Gallery image listed. Looking at the developer features Once provisioning is complete, login to the newly deployed Cloud PC to review what’s there in the box. The image includes: Windows configuration and settings via registry. Desktop configuration settings File Explorer settings Taskbar settings Search and Start settings Service/features settings Developer tools installation, including PowerShell 7, Visual Studio Code (with extensions ms-vscode.powershell, ms-python.python, ms-vscode-remote.remote-wsl, github.vscode-pull-request-github, ms-edgedevtools.vscode-edge-devtools, and mspythondeprem.python-dependency-remediation), PowerToys, Python, Node.js, npm, nvm, git, GitHub, GitHub Copilot CLI (with Work IQ and Windows Dev Skills), Oh My Posh, UV tools, Azure CLI, .NET Runtime, .NET SDK, and WinApp CLI. Install and set up Windows Subsystem for Linux (WSL) with a WSL Ubuntu A bash script to configure the user environment in WSL Ubuntu Installation of the same developer tools within the WSL environment If an uninstall of the 3rd-party dev tools is desired, this script can be used to uninstall them. Below you can see some screenshots of what I found on this developer Gallery image. Initial login, nice dark theme, prompting you to login to your account. The start menu has a Developer Tools category which contains Git, Terminal and Visual Studio Code. And the Other category…why the Weather widget and Microsoft News, and the Microsoft Intune Management extension are listed is anyones guess, but it would make sense to move all the other stuff to the Developer Tools category. What’s installed.. The Github Copilot terminal greeting you is waiting for your input, so go ahead and use it. You can decide to trust the source folder in your usernames path, and then /login to your Github account using the terminal (which will in turn launch Edge to complete the action). After that you can optionally connect Copilot and add a subscription or use the free version. Running wsl –status reveals the Windows Subsystem for Linux installation. Cool! Summary This is actually a great release, having the ability to quickly spin up Windows 365 Cloud PC’s with Microsoft developer tools built-in is very nice indeed and means you as the Intune admin can target your developer teams with Cloud PC’s that provide them with the tools to do the job. If the team behind this could just spruce up the start menu categories to be more accurate, that would be nice, but from first looks, this is really a step in the right direction for getting your developers coding quickly.
  10. The most likely root cause is the ADR is not successfully completing its content download phase. The automatic schedule issue and the empty deployment package source point toward an ADR execution or deployment package problem rather than a Software Center problem. I'd start with: ruleengine.log patchdownloader.log wsyncmgr.log Those three logs will usually reveal exactly why the ADR isn't behaving as expected. If you can post the ADR screenshots and relevant ruleengine.log entries from the Patch Tuesday run, the root cause can usually be identified very quickly.
  11. Earlier
  12. Hi, I have created an ADR for monthly Windows 11 Update and have select the following settings: Evolution Schedule: Monthly the second Tuesday My Questions about: Evolution Schedule: base of my settings, it should be run every the second Tuesday of month automatically, but it does not. I have to run it as manually. Any Idea why? Deployment Schedule: base of my setting, it should be run 7 days after the second Tuesday of month and should available on the Software Center. But every time I have to set it "as soon as Possible" and after that it downloaded the content. Should be not run automatically and download the content? Download Setting: My ADR was enabled and it downloaded no Content and the Package Source of the Deployments was empty. I saw many clients has downloaded the Content and install it, the Update was not available on the software center. Could you tell my why and Where did my updates download from? is that setting the reason? If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates. Thank you for help
  13. Acknowledged. I will abide by this. Please PM a download link, and I will have it preserved only for own personal use.
  14. it's licensed software so cannot be uploaded to any internet archive sadly.
  15. @anyweb And yes, I'm also here to request a copy of such aforementioned SCCM 2007 & 2012 install support files. And additionally, I request a concent for uploading them onto the Internet Archive, so everyone from now on can access the file without sending you a request.
  16. Retro computing is a fun and archeology. Preserving legacy software is a method to let us not to lose memories on technology history and evolutions. It would be a loss to watch let them die out in time. And there do are actual usages when commercial maintenance for legacy systems is needed. We well know that running unsupported legacy systems is dangerous, and will only do this on VMs or dedicated offline hardwares for pure non-commercial proposes. That's also why the Internet Archive and the Computer History Museum (Mountain View, CA) are created. MS (and many other software vendors) should preserve their support & download resources for legacy softwares, at least throw them onto dedicated archive sites or work with 3rd party organizations, instead of violently delete them from their servers and only make them accessible to internal staffers. Of course it's on their own discretion.
  17. a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; } here's the full reply from my chat with Copilot, you should try it too Short answer: yes — your boundary configuration is very likely the issue. Using only Active Directory Site boundaries can absolutely cause exactly what you’re seeing: Clients resolve a boundary But don’t get a valid DP or fallback DP assignment Result = updates sit at 0% downloading ✅ Why this is happening SCCM content download (including updates) depends on: Client is inside a boundary That boundary is part of a boundary group That boundary group has a Distribution Point (DP) assigned With AD Site boundaries only, problems occur when: AD Sites are not accurately mapped to IP subnets (very common) Clients’ IP ranges are not tied to the correct AD site Subnet definitions in AD are missing or incorrect 👉 Result: Clients may: Fall into no boundary Fall into a boundary group without content locations Try to download from a DP they cannot reach Sit at 0% downloading indefinitely 🔍 Your specific situation Your IP ranges: 192.168.0.0 172.20.0.0 172.10.0.0 172.40.0.0 But you're using: ✅ Active Directory Site only 🚨 Problem Unless all these IP ranges are properly mapped in Active Directory Sites and Services, SCCM cannot correctly assign clients. This is extremely common in environments where: Networks expanded over time AD Sites weren't kept updated Multiple IP ranges exist in one logical site ✅ Recommended Fix (Best Practice) ✔️ 1. Add IP Range Boundaries Yes — you should absolutely create IP Range boundaries for each of your ranges. Example: Boundary Type Range IP Range 192.168.0.1 – 192.168.0.254 IP Range 172.20.0.1 – 172.20.0.254 IP Range 172.10.0.1 – 172.10.0.254 IP Range 172.40.0.1 – 172.40.0.254 👉 Adjust ranges appropriately to your subnet masks. ✔️ 2. Add them to the correct Boundary Groups Put all new IP range boundaries into your existing boundary groups Ensure each boundary group: ✅ Has a DP assigned ✅ Has site assignment enabled (if needed) ✔️ 3. Leave AD Site boundaries (optional) You can keep them, but: 👉 Best practice: Use IP range boundaries as primary Use AD Site boundaries only if you trust their accuracy 🔧 Additional things to check ✅ Check Boundary Group settings Verify: DP is assigned: Administration → Hierarchy Configuration → Boundary Groups Under References tab: ✅ Distribution Points listed ✅ "Use this boundary group for site assignment" if applicable ✅ Check fallback configuration If clients are failing to find content: Enable fallback (optional, but helpful) Configure: Neighbor boundary group relationships Fallback time (e.g., 20–60 minutes) ✅ Verify client logs On one affected machine, check: LocationServices.log Look for: Boundary detection Assigned boundary group DP location requests ContentTransferManager.log Look for: Stuck download attempts CAS.log Look for: Content location failures DataTransferService.log Look for: BITS download issues 🧪 Quick validation test On a problem client: Run: PowerShell ipconfig Show more lines Then check: PowerShell nltest /dsgetsite Show more lines 👉 Compare the AD Site vs actual IP If: IP doesn’t match AD Site mapping → confirmed root cause ✅ Expected result after fix Once IP boundaries are added: Clients correctly map to boundary groups SCCM returns valid DP locations Updates move from: 0% downloading → downloading → installing 💡 Pro Tips (real-world SCCM guidance) ✅ IP ranges are the most reliable boundary type ❌ AD Sites are often neglected → unreliable ✅ Always verify with logs, not assumptions ✅ If “0% downloading” appears → it's almost always boundary/content location ✅ Final Answer Yes — relying only on Active Directory Site boundaries is very likely causing your issue. 👉 You should: Add IP range boundaries for all your networks Associate them with your boundary groups Ensure DPs are correctly assigned
  18. Hi Anyweb, First question What do you mean with best practice? Use IP range boundaries as primary Do you mean I have to change from Active Directory site to IP RANGE? Can I edit the Active Directory site to to IP RANGE? I created 4 new Boundary with IP Range and add them to the existing Boundary Group( I have only one), Now my Boundary Group show me 4 Members. My default Boundary was Active Directory site and I added 3 new IP RANGE Boundary and the "References" Is there any more steps I have to do?
  19. a { text-decoration: none; color: #464feb; } tr th, tr td { border: 1px solid #e6e6e6; } tr th { background-color: #f5f5f5; } from Copilot. 1. Add IP Range Boundaries Yes — you should absolutely create IP Range boundaries for each of your ranges. Example: Boundary Type Range IP Range 192.168.0.1 – 192.168.0.254 IP Range 172.20.0.1 – 172.20.0.254 IP Range 172.10.0.1 – 172.10.0.254 IP Range 172.40.0.1 – 172.40.0.254 👉 Adjust ranges appropriately to your subnet masks. ✔️ 2. Add them to the correct Boundary Groups Put all new IP range boundaries into your existing boundary groups Ensure each boundary group: ✅ Has a DP assigned ✅ Has site assignment enabled (if needed) ✔️ 3. Leave AD Site boundaries (optional) You can keep them, but: 👉 Best practice: Use IP range boundaries as primary Use AD Site boundaries only if you trust their accuracy
  20. I'm in the process of deploying windows updates to Windows Clients (Windows 11 build 25H2) Windows servers(2019,2022,2025) in my environment with SCCM and ADRs and most of the client computers have installed updates just fine however around 50 or so client computers are not installing updates and the updates are not getting downloaded. When I click to install updates it just stays stuck at 0% downloading and never installs until eventually it times out My Boundary and Boundary Groups the updates have been distributed to the DP servers. The boundaries are configured to include the clients in the scope. All of my boundary groups are set up with the Active Directory site only. We have the following IP Range 192.168.0.0, 172.20.0.0, 172.10.0.0. 172.40.0.0 But I set my My Boundary and Boundary Groups with the Active Directory site only. Is that the my issue? Should/Could I create or add some new Boundary with IP address Range(what we have see above IP Range) additionally to my Active Directory site? Could you please help me? Regards
  21. Introduction I’m sure by now that we are all aware of the coming changes to Secure boot certificates as documented by Microsoft here. To cut a long story short, when Secure Boot was introduced by Microsoft back in 2011 or so, they secured it with some default certificates which are set to expire in June 2026. Secure boot checks the bootloader and verifies it’s digital signature, if it’s trusted it allows it to run, otherwise it blocks it, which is a good way of blocking rootkits, bootkits and other low-level firmware attacks. Historically speaking Secure boot became part of UEFI 2.0 specification in January 2006, but Microsoft started rolling it out in 2011 including distributing the first Secure Boot signing certificates in 2011. These were later released to mainstream computers with the release of Windows 8 in October, 2012 where Microsoft required OEMs (Original Equipment Manufacturers) to enable Secure boot and ship systems with UEFI mode enabled. The original 2011 secure boot certificates were designed with a 15 year lifecycle, and in 2023 Microsoft introduced new 2023 certificate authorities. So here we are, all those years later, updating the bios (firmware) of modern laptops and desktops to ensure that they are capable of updating/supporting the new certificates prior to them expiring. There are plenty of good blog posts out there today showing you how to best deal with the Secure Boot certificate problem, but they are really focusing on supported, modern hardware, below are some examples. https://blog.mindcore.dk/2026/04/secure-boot-certificate-update-intune/ https://joymalya.com/intune-secure-boot-2023-certificate-update-rollout-part-1/ https://pureinfotech.com/windows-11-secure-boot-certificates-expiring-june-2026/ https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235#community-4469235-_option2 What about older hardware ? But where does that leave older hardware that does support UEFI and secure boot, and should they be turned off/disposed of ? Security experts would most likely say yes to the latter question as they’d be wide open to rootkits/bootkits which is a painful reality when you consider the cost of new computers today thanks to the AI boom. I’m actually writing this article on an old Lenovo T570, which technically is old, it was released in 2017, but has been updated with Windows 11 25H2, and 32GB ram. It’s not the snappiest but it works fine for what I need. I looked at Microsoft Intune’s infamous secure boot status report and it showed me lots of red x’s for my older hardware even though I was already pushing out remediation scripts in my Intune lab to deal with the Secure boot certificates expiry mess. The following were looking sad: Lenovo T570 Dell Optiplex 9020 Microsoft Surface Pro 2 You can access this report in the Intune console by clicking on Reports, Windows Autopatch, Windows quality updates, Reports, and finally selecting the secure boot status report. You can see the details of the report that I ran below, the green arrow shows my Lenovo T570 is not up to date for any of the 4 certificates listed in the report. So I posted a tweet on Twitter (yeah, that’s what I call it) and got some instant feedback, which is the reason for this blog post. In the screenshot below you can see when the bios was last updated on my Lenovo (2024). Fellow MVP, Mike Terrill responded with some great advice. You should still be able to push the certs into the active db. However, the default db wouldn’t get the updated certs. If you did a factory restore of the bios, then the active ones would be replaced and need to be installed again. And he included some Powershell examples from his talk at MMS. I’m including his Powershell code below. All credit to Mike Terill and Gary Blok (I believe). $SecureBootRegPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot' New-ItemProperty -path $SecureBootRegPath -name "AvailableUpdates" -PropertyType dword -Value 0x1844 -Force Start-ScheduledTask -taskname '\Microsoft\Windows\PI\Secure-Boot-Update' #verify get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject So basically I ran the code above on my Lenovo T570 (from an elevated prompt) and the results were interesting. Below we add a reg key and trigger a scheduled task. The registry value tells Windows to deploy all available certificate updates as documented here and/or here (thanks Jon). and reveal the certificate status after a reboot To my joy, the following day the secure boot status report looked much much better for my Lenovo. Success! thanks Mike! I also got info from another Twitter user and he advised me to look here for some additional advice for patching older systems. https://www.elevenforum.com/t/garlins-powershell-scripts-for-updating-secure-boot-ca-2023.43423/ I did of course try the same method on some other old computers (Microsoft Surface Pro 2, Dell Optiplex 9020) and while it had some success with some of the certs, it couldn’t update the Microsoft Corporation KEK 2K CA 2023 certificate. According to Copilot this was because the firmware on the Dell and Surface, was just too old. Perhaps, perhaps. But then why did my Surface Book 2, which has a firmware (bios) date of wait for it, 2015 update all of the 4 certificates without any issue. That remains to be seen. I’ll update this blog post as I learn more, I definitely don’t want to ‘trash’ some old computers just because their secure boot certificates can’t get updated, worst case scenario I’ll convert them to Linux. On My Surface Pro 2 it updates 3 out of 4, the 4th being the missing KEK certificate, just like on the Dell. Looking in the SYSTEM event viewer, Event ID 1803 is showing every time I trigger the scheduled task from the Powershell script. That links me to this: Understanding Secure Boot Events 1802 and 1803 – Microsoft Support Learn more Finally, if you want to learn more aboute this subject (better late than never) take a look at this Patch My PC webinar, or Johan Arwidmarks free training on the subject: https://patchmypc.com/events/secure-boot-2026-are-you-actually-covered/ https://academy.viamonstra.com/courses/mini-course-secure-boot-2026 Summary Windows Autopatch on it’s own is not enough for getting these systems up-to-date with regards to the Secure boot certificate expiry. There are remediation scripts which definetly help, but they are mostly aimed at modern hardware. Thankfully, you can update some older hardware by using the example script above, either manually or push it out via Intune/ConfigMgr after you have of course ensured that the bios version is the latest available and that Windows is up-to-date. Thanks again to Mike, the beer is on me at MMS in October
  22. contact me on Teams, and i'll see if i have some time > niall@windowsnoob.com
  23. Hi, my SCCM Server does not work fine like before many years. I want to building a new SCCM server from scratch can I still use the old container (called System Management) and delegate control by adding the new server without necessarily extending the AD schema? Could I let running it the old SCCM server and install a new one fresh instillation of SCCM Server? Regards Nick
  24. Hi Nail, I have a big issue with ADRs on the SCCM with monthly Windows updates. On the client machine the download does not work or stucking by 0% or waiting for install. I'm really desperate, do have time for a remote session? Thank you Nick
  25. pros versus cons means what is positive about the solution (pros) and what is negative about it (cons)
  26. Hi, I have created some ADRs for Windows Server and Clients Updates with following settings Software Updates Deployment Schedule If I understand this option correctly, it should run automatically after 7 Days and deploy it to Distribution Server Evaluation Schedule, every month on second Tuesday Could you tell me please why it is not running automatically evey month? What is here wrong? Thank you Regards
  27. Hi, I have created some ADRs for Windows Server and Clients Updates with following settings Software Updates Deployment Schedule If I understand this option correctly, it should run automatically after 7 Days and deploy it to Distribution Server Evaluation Schedule, every month on second Tuesday Could you tell me please why it is not running automatically evey month? What is here wrong? Thank you Regards
  1. Load more activity
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.