System Center Configuration Manager with Endpoint Protection
If you have a Group Policy Object or System Center Configuration Manager setting some parameter on your PC and you also have the setting configured in Microsoft Intune, Intune will win. Put simply, Intune overrides GPO and SCCM. It is also notable that Microsoft has dropped SCCM – Intune Hybrid support. You must move your SSCM/Intune hybrid configuration to a Standalone Intune by September 2019. At the recent Microsoft Ignite Conference in Florida I asked…
UPDATE OCT 18 2018 – You CAN now use a GPO to block the public Microsoft Store but keep your private corporate Store. See our short explanation HERE. After working on setting up a private Microsoft Business Store (businessstore.microsoft.com) I was shocked to find that I could not disable the Public Microsoft Store through any of the settings. I put a few hours into searching and reading but could not even find someone saying it…
As you likely already know, because you have found this page, the GPO to disable the MICROSOFT STORE app was set to be ineffective on Windows 10 Pro after build 1511. This annoying change meant that you could only block the store using a GPO if you were running Windows 10 ENTERPRISE or EDUCATION and that made admins cranky. The solution was to block the store app through a SOFTWARE RESTRICTION GPO as we explained…
If you have recently upgraded your HyperV Servers or Cluster to Server 2016 and you are running Veeam, you may see the following error: Changed Block Tracking Will Not Be Used For This VM Until You Upgrade the VM Hardware to Version 8.0 or Later What this means is that Veeam will only perform FULL backups and not incrementals which is a bit of a crisis for most companies. Fortunately this is easy to fix,…
Windows Server 2016 introduces native Virtual Machine load balancing. The idea being that Server 2016 Cluster Manager will now migrate VM’s to other Hosts in the cluster to level out the work load. This is roughly the same as “Dynamic Optimization” in System Center Virtual Machine Manager but this is free. By default Microsoft does not want Server 2016 to move VM’s to different nodes unless one of the nodes is ‘hammered’. In fact, the default configuration…
If you have Windows Server Update Services (WSUS) you can easily change the PRODUCTS AND CLASSIFICATIONS by clicking OPTIONS > PRODUCTS AND CLASSIFICATIONS. If you are using System Center to rollout Windows Updates, it is much more complex to change what products and categories SCCM is downloading from Microsoft and pushing to your PC’s. To Change the Windows Update PRODUCTS AND CLASSIFICATIONS in SCCM: Click ADMINISTRATION (bottom left) Click and expand SITE CONFIGURATION (top left)…
If you have deployed Windows 10 Anniversary 1607 and are using Windows Defender you should be very interested in the new BLOCK ON FIRST SIGHT feature. When a user runs a program that Defender has never seen before, BLOCK ON FIRST SIGHT, sends a metadata about the file to a Microsoft cloud service. That service uses heuristics and machine learning to figure out of the program is malicious. If it cannot make that determination, a copy of the…
If you have ever worked with System Center Configuration Manager to manage PC’s, you will know that changes do not take place quickly, and that can be frustrating. To have your PC’s take instruction from SCCM immediately, you need to manually kick off the ‘cycle’: Install the SCCM agent Go to the PC in question and bring up CONFIG MANAGER PROPERTIES > ACTIONS Manually start the ‘Machine Policy Retrieval & Evaluation Cycle’ But this leads…
Below is a the quick version of how to push software packages based on MSI’s, including any Transforms (.MST’s) using System Center Configuration Manager Before we get started I you should understand that the difference between an APPLICATION and a PACKAGE in SCCM is Packages are 2007 logic that you should stop using. If you want to dig into this further, see our page on Applications vs Packages. To deploy software using SCCM High Level: In…
In System Center 2007 and older deploying software was handled through PACKAGES and as such a category named PACKAGES in SCCM > SOFTWARE LIBRARY > OVERVIEW still exists for backwards compatibility. System Center now uses APPLICATIONS to deploy software and that is what you should move to (or start with, if you are new to SCCM). The APPLICATIONS logic allows more options, like Supercedence, Requirements and Global Conditions. Contrary to some reports, APPLICATIONS support both…
From time to time, to accommodate an install or perform troubleshooting, we all need to temporarily shut down the Antivirus we are running. Disabling System Center Endpoint Protection however is not a nice affair. You can either allow ALL users to turn it off or NO users to turn it off. This means that in any real company in which standard users are locked down, Administrators can not easily shut it down. I confirmed this with…
In anything but the simplest networks, there will always be a few machines that need Antivirus but do not connect to the domain. These could be lab machines, dedicated PC’s that run manufacturing equipment, field machines, loaners… So the question of how to install System Center Endpoint Protection on these disconnected machines is a valid one. Determine the Location of Your Endpoint Install File In System Center Configuration Manager, expand SOFTWARE LIBRARY > APPLICATION MANAGEMENT,…