User Profile
Jason_Sandys
MicrosoftJoined 6 years ago
User Widgets
Recent Discussions
Re: WSUS Certificate pinning
Hi Lotsch17. No, this is not directly possible as the GPO template is not aware of this certificate location unfortunately. Using a script is the best path invoking certutil (although there may be a direct PowerShell cmdlet as well). You can deploy this script using whatever method is at your disposal including Intune (or ConfigMgr).1.1KViews0likes0CommentsRe: Windows Store for Business / Windows 11
Getting ahead is typically advisable. As for MSfB apps and assignments in Intune, the exact behavior at retirement time is still being developed so nothing to share specifically other than for folks to expect none of their MSfB apps and assignments to work anymore.13KViews0likes0CommentsRe: Windows Store for Business / Windows 11
There is no such thing as a new "store". The store is (more or less) as it's always been. Intune isn't a "workaround", though, it is our solution to replace the private/curated list of apps from the store for end users. This is exactly what we are working on. Moving the workload doesn't disable app deployment from ConfigMgr so there's nothing to be ready for to move this workload to Intune. Also, the Company Portal will show app deployments made from ConfigMgr regardless of the workload shift as well.15KViews0likes3CommentsRe: Windows Store for Business / Windows 11
+1. The whole point of using the policy is to block users from installing anything from the store that has not been "approved" or curated by the IT admin. It still does this in Win 11. What's different though is that you need to use a different mechanism to make the approved/curated apps available to the end-user since the store for bus/ed does not exist in WIn 11 and that's Intune.15KViews0likes5CommentsRe: Recovering from a bad Quality Update, when its fix is released "Out of Band", using Intune?
Hi NathanHartley, First, Thank you for the feedback and I'm sorry that you've experienced these issues. Our goal is to always provide the best possible products and services with the highest level of quality and functionality possible. Unfortunately, sometimes, things don't go as planned. Next, for the root issue you called out, business impacting bugs, outages, and issues should be handled by contacting support. There's no SLA associated with feedback hub to my knowledge and only issues that do not significantly impact you, your org, and its business should be handled using it. For our (Microsoft's commitment) to Autopilot and Intune, both are 100% the preferred solutions for Windows endpoint provisioning and management. We have a significant engineering investment in MEM and that is not planned to change. The store is slightly outside the scope of MEM and is currently undergoing some changes which is where I suspect the issues you have or are experiencing are rooted. These changes will bring a renewed emphasis on the store that includes adding our applications to it as well as third parties doing so as well (the changes will better enable this and make it easier as well). On the driver front, we are all subject to whims of the OEMs as Microsoft is not in any way responsible for the vast majority of drivers published to WUfB. If you have issues in this regard, you should address these with and bring pressure on your preferred OEMs to publish their drivers to WUfB. Each OEM has their own perspective, and all have their own tools as well that they often prioritize. We are actively working on a better experience around delivering drivers and firmware from WUfB though that is fully integrated with Intune. Look for the public preview on this "soon". This will hopefully up the desire for OEMs to publish their drivers and firmware to WUfB. Finally, on the specific issue of an optional update not being available to deploy via WUfB, this is a current design choice that we are looking to change. Keep in mind that all out of band updates are made available in the monthly cumulative update that follows the oob update's release, but we understand this delay may cause some pain on inconvenience. As for the workarounds, you can always download the update manually and package it as a Win32 app for deployment using Intune. I don't know why the KB article does not call this out, but this is something we have many customers perform when needed.2.1KViews2likes3CommentsRe: Feature upgrade using Upgrade TS not taking content from MS update for cmg clients
Hi Ankush_Khandelwal. Please see the note at https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-upgrade-an-operating-system#requirements-for-a-feature-update-in-a-task-sequence for a description of how to achieve this: > "When you deploy the task sequence, you can also select the option of No deployment package for the feature update. When clients run the task sequence, they download the feature update from peers or the Microsoft cloud." Whether or not the client systems are on the Internet or connecting via a CMG is not relevant for this. If this matches your configuration and you are still having issues, please open a support case.709Views0likes0CommentsRe: Microsoft Connected Cache without ConfigMgr
There have been multiple, very limited private previews for the feature but, for a variety of reasons, the feature has not progressed out of private preview. Also, being in private preview does not imply anything about when or if we will ever deliver the feature or what form the feature will take when do finally progress it and make it more broadly available. The only implication you can draw from a feature being in private preview is that it's something we are working on and have solicited the help of "some" customers for their feedback based on some limited use in their environment.1.3KViews0likes0CommentsRe: Microsoft Connected Cache without ConfigMgr
Hi Chad, This is still on the list of things we're working on but we have nothing to share at this time around timelines. Out of curiosity, what's the scenario where this is needed, and normal DO peer content sharing is not sufficient.1.4KViews1like3CommentsRe: TLS cipher suites and ConfigMgr client notification channel
Hi silvermarkg_Personal, Please file this using a frown in the console to get it added to our development lifecycle: https://docs.microsoft.com/en-us/mem/configmgr/core/understand/product-feedback. Please ensure that you include the business scenario and motivation for needing this so that we can prioritize this request properly.1.3KViews2likes0CommentsRe: How to set group IDs for delivery optimization only with Intune
Hi Stephane, That really depends on how your network infrastructure is organized. There's nothing as nice as using boundary groups in ConfigMgr. You may be able to use dynamic AD groups based on location and then statically set GUIDs. Alternatively, you can use DHCP scope options to assign unique IDs based on your DHCP scopes. Another possibility could be to use a script delivered to the clients that sets the ID based on some criteria. There's no one size fits all answer here as it requires some knowledge of the internal network infrastructure which is why it works well with COnfigMgr.1.8KViews1like0CommentsRe: WSUS Certificate pinning
Hi Stephane, The details are documented at https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings#enforce-tls-certificate-pinning-for-windows-update-client-for-detecting-updates. Basically, you need to add the HTTPS cert configured for WSUS to the WindowsServerUpdateServices cert store on the clients.2.5KViews0likes2CommentsRe: Whats the best way to test Win 10 without IE
In addition to Steve's spot on comment, keep in mind that there is no way to fully remove Internet Explorer from Windows -- our impending "removal" of Internet Explorer does not fully remove it, it only removes the user surface area of it while things like the rendering engine still exist in (and are integral to) the OS. This is exactly what the two methods you've called out do as well.1.2KViews0likes0CommentsRe: Windows Store for Business / Windows 11
Also, keep in mind that the policy to limit users to the "private store" does in fact still work in Win 11 (although I think it's been renamed slightly in the Win 11 ADMXs) and has the same end effect of preventing the users from visiting or using the public store.19KViews0likes11CommentsRe: SCCM / MEMCM support CAU "Cluster Aware Updating" Feature of Failover Cluster Feature
Have you reviewed Orchestration Groups in ConfigMgr: https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/create-orchestration-groups? This is the specific feature set in ConfigMgr designed for cluster and cluster-like scenarios involving n-tier applications and "orchestrated" activity. If you feel you must have direct integration with CAU, please create a new item (or upvote an existing item) at https://feedbackportal.microsoft.com/feedback/forum/4669adfc-ee1b-ec11-b6e7-0022481f8472# and/or submit feedback using the ConfigMgr console.3.6KViews0likes2CommentsRe: ConfigMgr & TLS 1.2
Hi Mark, For #1, please see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2 for full details on enabling TLS 1.2 in ConfigMgr (assuming you are running a supported version). Per the doc, both values you call out must be enabled via the registry, yes. Make sure you fully read through the documentation though as there are other steps. For #2, please open a support case as there is no way to troubleshoot an issue like that in a Q&A. It's possible you haven't completed all of the necessary configurations in the TLS documentation linked above, but only you can confirm that.2.2KViews0likes1CommentRe: New devices require bitlocker recovery key after bios updates
Hi prenckens, First, I'm not sure what "the 'suspendbitlocker' key ... in the Registry" is as properly suspending BitLocker involves more than just setting a value in the registry. The most common method is using manage-bde from the command-line or Suspend-BitLocker from PowerShell. Next, there are many different "things" that may trip a BitLocker recovery and to determine the root cause here, you must examine the BitLocker event log in detail. Doing this takes some familiarity with the internal working of TPMs including PCRs and thus this activity is typically best done by Microsoft Support so I'd encourage you to open a support case investigate further.1.4KViews0likes1CommentRe: WUFB pausing and superseeded updated
Hi lalanc01, You should be fine unpausing today since the February CUs were released last week and are past the seven-day deferral period. However, if this was a question last week, then we'd still be inside the deferral period and the February CUs would be deferred but the January CUs wouldn't' be and would therefore be applicable.1.1KViews0likes0Comments
