I am ramping up for a migration of Windows 7 Pro to Windows 10 Enterprise and was looking for some tips and recommendations on making it a smooth migration. We have been stuck on 7 due to software compatibility constraints. We recently upgraded our ERP system and the last major hold-out is a minor ShoreTel update.

I use WDS and MDT for deployment and will be creating my gold image in vcenter server. I have seen some people posting their tips on "new" GPOs for Windows 10, do you guys and gals have any?

Also, which version of Windows 10 Enterprise are you deploying? LTSB or regular (1703)?

I could benefit from this. A simple ACL auditing script could come in handy.

I have an old Brother 4150 CDN color laser printer that is used by about 20 people. I am estimating that it does about 15,000 pages a month. The toner likes to leak out of the sides by the rollers and contaminate the rest of the rollers and ultimately the pages. So, I am looking for a decent color print-only replacement.

I know HP printers aren't what they used to be. Are the "Enterprise" printers any good?

What are you using (or would you use) in this scenario?

Yeah I was reading through the thread with @NerdyDad starting a WISP and saw that it was "out". I am interested in this thing for the sake of the technology at that price point. Quite amazing.

I'll just throw this out there to prove what a benefit virtualization is (and Veeam for that matter).

2 days ago, I upgraded my WDS/MDT server so I could image Windows 10 (1703). I uninstalled Windows ADK and installed the updated version. Then I upgraded MDT to 8443 and upgraded my deployment share. I did a test image of my new setup using a machine type that I had already had in MDT and it worked just great.

Yesterday, I had to add a new machine with drivers, task sequence and selection profiles. When I went to update the deployment share, it failed. It couldn't find the boot wim. It was looking for a new directory in the ADK installation path and when I checked the previous location of where the wim file was it was gone. I don't know what happened to it. I was running short on time because this was a new laptop that had to be sent priority overnight to be there today.

I used Veeam instant recovery to spin up a backup of my WDS MDT server from earlier that day (it only took a minute or two) sans network connection and verified that everything was where I thought it should be on the old one. I tried doing a side-by-side comparison on changing the settings on the 'live' server but I couldn't get it working. I then decided to restore the server back in place of the live server and that took only 15 minutes. I was able to add the new drivers, task sequence and selection profiles and update the deployment share successfully and image the laptop to get it out to the guy for this morning.

I would not have that flexibility to do even half of that stuff with the budget of an SMB without virtualization. I have virtualized everything in the past 6 years. I only have 2 physical servers left. A terminal server and my Exchange server. I will virtualize the first and with Exchange, I am planning on migrating to Office 365 in the next 6 months.

But first, I need to figure out why my WDS/MDT upgrade went tits up.

@scottalanmiller I just watched the LANless video. Good stuff. I am surprised that you gave that much praise to UTMs. Granted, this is a year ago.

@travisdh1 Thanks for the info. I have two physical servers left- an RDS server and an Exchange server. I have virtualized everything else in the past several years. I am planning on migrating the RDS to a VM later this year and the Exchange server to Office 365 within the next 6 months.

Dell's desktop (and probably laptop) life-cycle is basically 5 years. AFAIK,they won't warranty Optiplex desktops past 5 years. I am in the middle of my second PC refresh here and we are replacing desktops that are between 5 and 6 years old. In my case, it is the Optiplex 390 series that are EOL.

As the title indicates, I am trying to renew the UCC SSL cert for an Exchange 2010 server and after creating the .req file from within EMC, I open it with notepad and it is mostly gibberish and not the typical format that I normally see with the Begin and End New Certificate Request header and footer.

It has some human readable info about the server and domains in it but most of it looks like this:
6ËÌ14_WlÝ—ã!?PµÛF׸%zº$CbOºcôÌšœìÃÐ?ö† DŽc‘CÂt’Œ·Ýö¤_

What am I not doing correctly?

@jaredbusch Turns out it is the way that Exchange encodes the request. I ran:

certutil -encode c:\renewal.req c:\base64renewal.req to convert it to base64.

Edit: As seen in this thread-
https://social.technet.microsoft.com/Forums/exchange/en-US/f570e4bd-7194-4cf5-92f4-c7ada2f5dc8a/exchange-2010-renew-certificates?forum=exchangesvrsecuremessaginglegacy

2. Deployment- Deployment to endpoints is mostly good. There are several options, which is good. The bad thing is that none of them involves being able to download a custom built msi specifically for the endpoint group. They give you a number that is associated with your endpoint group that you can either use in a command for the exe or msi or use Orca to modify the properties of the msi.

When you use this method, the idea is that the endpoint gets moved to the appropriate group in the interface and have the policy applied. In practice, it is slow and clunky. It seems to be close to a 50/50 chance that it will happen automatically. Once the endpoint completes the initial scan, I found that about half the time, it would show up about 15-20 minutes later in the default group and just stay there until I manually moved it to the group that the msi was coded for. I also tried refreshing the config on the endpoint side and it did not have any effect.

3. I would like the ability for an admin to be able to access the shutdown protection feature without having to login to the web interface and apply a different policy to the endpoint, then refresh the endpoint and shutdown protection.

Several people here said that they hadn't run into any issues installing software when Webroot was running. I have already encountered at least 4. 3 were routine driver/software updates for ThinkPads that would not install while Webroot was running. The 4th was using PDQ Deploy to push Acrobat Standard DC. My main complaint is that I never got alerted to any problems from Webroot. I only knew that the installations were failing and would only succeed when Webroot was shutdown.

There are some mentions of password protection in the interface but not in the documentation, as far as I could find when using the search feature. So I don't know if this would solve my issue, because I don't know what it does.

4. I can't delete sites on my own. I have to call tech support and ask them to do it.

5. I can't figure out how to delete the deactivated endpoints. I assume that I will also have to call tech support and have them do it.

I have a Sophos UTM (SG-210) for the past 2 and a half years and the more time that goes by, the less I trust Sophos to release quality updates for it. Once I got used to the interface for the routing and firewall aspects, it is quite easy to configure. I am using the proxy (web filtering), gateway AV and IDS/IPS. However, there are several things that I am not using for different reasons- spam filtering, WAF, application control, etc.

What would you use to replace the firewall, proxy and IDS/IPS systems if you were going to separate them out?

@scottalanmiller LOL - A coincidence? But if it didn't work for me I wouldn't keep them.

We are using them and get the monthly check also. That reminds me... I really need to setup another training campaign for my users.

The sprinkler controller for our corporate offices went out and a guy here is really excited about wireless sprinkler controllers, like Rachio. After a brief Googling session, I haven't found any yet that are more business/industrial. I have reservations about having something like this/IoT devices on the network. I would have to create a separate SSID and VLAN for it.

Thoughts on allowing this on the network and maybe recommendations for alternatives?

Well that answers that. LOL Now I will have to redeploy to everyone and maintain different versions. Oh well. PDQ Deploy to the rescue.

@scottalanmiller said in New Ransomware Strain Evades Machine Learning Security Software:

@marcinozga said in New Ransomware Strain Evades Machine Learning Security Software:

@stus said

What do you do when all filters have failed?

What do you do? You don't allow scanning to email, period. Email inboxes are not file stores. Most of these machines allow you to scan to SMB share. Users need to learn to use file shares for storing files, not their email clients.

Or don't use paper, period.

That has been my quest since I got here... still fighting the good fight.

@scottalanmiller It is the value of time spent troubleshooting vs time spent replacing. Sometimes it makes more sense to replace something than try and figure out what it is. If I spend 2 hours trying to figure something out on a $100 printer, I should have just replaced it.