Problem: System Center Endpoint Protection keeps deploying itself from SCCM to the computers and servers after I manually delete them, even if the SCCM server got completely removed recently. Though AFAIK the deployment tasks weren't deleted, only the services stopped and SCCM related programs uninstalled. Also the server (Hostname: SCCM_SERVER) was shutdown.
If I open one of the servers and go to Configuration Manager, I see that Assigned management point is still SCCM_SERVER.
Question: Not having been delved into SCCM administration prior, how is this happening? Did it create windows services on each machine? Could there be additional SCCM administration sever running somewhere else? I checked GPO/scheduled tasks - nothing. How does the deployment work? And how do I stop it?
Also, if additional information related to the software/hardware/network is required please ask.
Regards,
Sai
Have you checked the log file EndpointProtectionAgent.log? Maybe it can give us some clues.
If you want to decommission SCCM, you could uninstall the SCCM client.
The correct way is edit the Client Settings node in the Administration workspace first.
Modify the device settings "Install Endpoint Protection client on client computers", choosing False or No will not uninstall the Endpoint Protection client. To uninstall the Endpoint Protection client, set the Manage Endpoint Protection client on client computers client setting to False or No. Then, deploy a package and program to uninstall the Endpoint Protection client.
#About client settings in System Center Configuration Manager
Related
This question is purposefully general because I'm trying to understand things more from an architectural perspective, because that will impact which group I need to contact. My team is using Azure DevOps (cloud) with on-prem build agents. The agents connect to ADO via a proxy.
We use several tools in-house provided by vendors with ADO plugins in the Marketplace that require us to set up service connections. Because the services are installed on-prem, the endpoints we enter are not available via the Web (e.g. https://vendor-product.my-company.com).
If I log into the build machine and open up IE, I am able to connect to the service endpoint URL. However, whenever I try to run a task from ADO, it fails with some kind of connection-related issue ("The underlying connection was closed: An unexpected error occurred on a send", "Task ended with an exception: Error: read ECONNRESET", etc.).
The way I thought it worked, all the work takes place on the build machine itself, so the calls would be going from my-build-server.my-company.com to https://vendor-product.my-company.com. Those error messages though make me wonder if the connection is actually coming from https://dev.azure.com.
So the questions I have are:
For situations like this, is the connection to a service endpoint going to be seen as coming from my on-prem build agent, or from ADO (or does it vary based on how the vendor writes their plugin)?
If the answer to #1 is "it varies", is there any way for me to tell just from the plugin itself without having to contact the vendor? (In my experience some of the vendor reps don't understand how the cloud works.)
and/or
Because my build agent was configured to use a proxy when I set it up, is it going to use that proxy for all connections, even internal ones? I think I can set up a proxy bypass list for the agents but I presently only have read access to the build box. I can request temporary elevated access but I'd need some level of confidence that's what the issue is.
Hope I explained the situation clearly, thanks in advance for any insight.
I'm writing my first application using MSMQ and everything works well with local queues on my development machine. I cannot seem to connect to a remote queue when I tested it.
I have 10 Windows 10 Pro installation (not domain joined, but I have also tried this on two domain joined machines), both with MSMQ installed. I have disabled the firewall on both machines, unchecked the 'Disable un-authenticated RPC calls" on both machines. Changed the permissions on the queue to full control for everyone and anonymous.
I'm using .NET and the system.messaging namespace. When I call the messagequeue constructor, I can see that most of the properties are in a exception state.
VB code New MessageQueue("FormatName:Direct=TCP:x.x.x.x\private$\test")
I found an article detailing a registry entry NewRemoteReadServerAllowNoneSecurityClient I thought might work but got the same result. I'm sure this is some sort of security issue but I have no idea what I'm doing wrong.
Anyone have any ideas? Seems like this should be much easier than I am experiencing.
I have downloaded opshub tool for the migration, trying to migrate from on premises to visualstydio team service. Getting error On the migration summary page with error message:
"Unable to communicate with the required process opshubtfsservice.Because probably it is not running. Restart application & try again"
I verified the opshub service is running as local service. I tried to restart & tried with Network service/local account etc. But no lock.
Can you please help me on this here.
Thank you.
It seems that your machine is behind a proxy and all traffic in-out is being routed through it. (Including the communication of local traffic)
You will have to bypass local addresses from the proxy as well as enable OVSMU to communicate through the proxy.
Please refer the C:\Program Files\OpsHub Visual Studio Migration Utility\Other_Resources\Resources\ProxyUtility.zip to configure OVSMU to utilize your proxy. There should be a user guide document which lists the steps.Keep the bypass local address value as default.
I am DBA. I am trying to write bunch of scripts that I could execute from one central server. Ideal would be to send all the scripts from central server to say 50+ servers across multiple win domains (for databases management purposes).
The problem I am running into is - security. Seems like PowerShell Remoting is the way to go. But when I send a script to another server, I get 'not digitally signed' error.
I could 'self sign'. But that cert if only trusted on local machine. So that option is out.
Maybe Certificate Authority is a way to go. Or adding trusted hosts. I just have no clue on this one, so if you know any blog posts or how to do this - it would be big help.
Well, it's a security risk, but there's always the possibility of setting the execution policy to RemoteSigned, keeping a local repository on each server and calling those as needed via PS-Remoting. I don't like that idea one bit though.
If you are doing remote execution, you will need to sign your scripts. A detailed step by step can be found here. It even covers deploying the cert via GPO so that it's domain trusted.
I would use PowerShell remoting. This would allow you to run it as remote commands instead of remote scripts. If you catch the bottom of this SimpleTalk article, after "Persistent Sessions". It shows the option of executing a set of commands against each server instead of the script. This should prevent having to deal with the remote signed issue and provide a little more control.
The only thing to deal with on remote sessions is your credentials. I have not tried this on multiple domains but a few stand-alone servers.
There is a public queue named queue1 on machine A. I want to send messages to this queue from machine B. In order to achieve this, I wrote that c# code.
if (MessageQueue.Exists("machineA\queue1"))
{
label1.Text = "queue found";
}
else
{
label1.Text = "queue could not be found";
}
But Exists() method return false on machine B. The same code works well on machine C.
I found somethings related with msmq domain mode and workgroup mode. I think that msmq installed in workgoup mode on machine B.
How can I change this configuration from workgroup mode to domain mode?
HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters\
Check the data for the REG_DWORD workgroup. Is it 1 or 0?
1 is workgroup mode.
0 is AD mode
Basically the difference between domain and work group mode is not defined by the value of the registry flag "workgroup" mentioned by #engin. This flag just reflects current operational mode but doesn't set it.
Whether you run in domain or workgroup mode is defined whether you installed MSMQ on domain controller or on a member server. Details about differences between these two modes can be found here: https://support.microsoft.com/en-us/kb/884974/
MSMQ 1.0 used to support domain mode only. Current MSMQ version is 5.0.
Next you may see quite interesting behavior when you installed MSMQ on your DC, your workgroup flag continuously reverts to 1 after each MSMQ service restart. This means that you have to grant Network Service account the Create MSMQ Configuration Objects permission to the computer object in Active Directory Domain Services before installing the Directory Services Integration feature on a computer that is a domain controller.
You may find details on how to do it here:
https://technet.microsoft.com/en-us/library/cc730960.aspx
MSMQ runs under the (less privileged) Network Service account instead of (all powerful) Local System account starting from version 4.0 (Vista/Server 2008)
So to answer #mkus question more directly to "set" domain mode you just install MSMQ on domain controller and make sure that proper permissions in place for Network Service account. Once this is done you well see it operating in domain mode with workgroup flag switched to 0 automatically to reflect this.
Also couple of links to clarify issues around MSMQ objects permissions and when/why you need to set them:
http://blogs.msdn.com/b/johnbreakwell/archive/2009/08/03/default-msmq-queue-permissions-have-changed-in-msmq-4-0.aspx. In short starting from MSMQ 4.0 Everyone and Anonymous Logon were removed from default MSMQ objects ACLs as precaution against DoS attacks (though there are exlusions to this change and Workgroup mode is one of those).
And as you may read in Technet article below you need to go a grant certain rigts to MSMQ objects either to Network Service OR to Computer accounts when installing the Routing Service feature on a Windows Server 2008 R2 (or later) computer that is not a domain controller OR when installing the Directory Service Integration feature of Message Queuing on a Windows Server 2008 R2 (or later) computer that is a domain controller. See details here:
https://technet.microsoft.com/en-us/library/cc749102(v=ws.10).aspx
Run Server Manager on the machine that is hosting the queue. Right-click on Features and click "add features"
Drill down under Message Queuing and under Message Queuing Services. You should see a checkbox for Directory Service Integration.
Check it and click install.
Usually you have to reboot the server for it to show the change.
I ran into some problems, no matter how much I installed or uninstalled MSMQ or restarted, I still wasn't able to use the queue. So I wanted to post some links here
http://support.microsoft.com/kb/935498
When it gets to a part about "To work around this problem, use the Active Directory Users and Computer Microsoft Management Console (MMC)...". Below is how you do that.
How to delete from active directory
http://technet.microsoft.com/en-us/library/cc773660(v=WS.10).aspx
"Delete stale computer objects" is the part you are interested in.
I also found this nice error in the event log "The Message Queuing service will not join the domain. An MSMQ Configuration (msmq) object exists in the new domain with an ID differing from the service ID. Please delete the MSMQ Configuration object in the new domain, restart the Message Queuing service, and log on again."- which helped to point out they way.
I have face this issue for windows server 2016, where even thought I was changing registry value to domain mode "0", it reverts to "1", after server restart.
To solve the issue on OS 2016, we need to uninstall below MSMQ feature as they are deprecated from OS 2016 onward.
Message Queuing Trigger
Multicasting support
Routing Service