[Rookie] AD computer won't sync it's time

with the server

Question

Hi,
We have a one server system. It acts as our AD, network storage, and time server.
I set up the server as an NTP client with roughly the following command. I can't quite remember
exactly how i did the peer list.
 w32tm /config /manualpeerlist:0.uk.pool.ntp.org, 1.uk.pool.ntp.org, 2.uk.pool.ntp.org,
3.uk.pool.ntp.org /syncfromflags:MANUAL
 Stop-Service w32time
 Start-Service w32time
When i set up the time server i followed this blog post and Microsoft's page. I believe the idea is to
set up the server as an NTP client with the outside world and be an NTP server for it's devices.
 Set W32Time service for automatic start. And changing
 HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ W32Time \
TimeProviders \ NtpServer \ Enabled to 1 (on)
 then to apply the changes with w32tm /config /update
Running w32tm /query /status and w32tm /query /configuration, i get this output.
Running w32tm /query /status and w32tm /query /configuration on a computer that successfully
syncs it's time with the server, i get this output
Both outputs makes me think i've set it up correctly? Have i missed a step or fluked it so far?
My Issue:
I have a single computer that won't collect it's time with our server. When i run w32tm /query /status
it tells me the source is the Local CMOS Clock (sorry i forgot to collect the output from this).
I followed advice on how to resolve this from here, here, here, here, here.
Which all generally state:
 net stop w32time
 w32tm /unregister
 w32tm /register
 net start w32time
 w32tm /config /syncfromflags:domhier
 w32tm /config /update
 net stop w32time
 net start w32time
I've tried to do this but the computer just doesn't change from the Local CMOS Clock.
Interestingly, when i attempt to stop w32time i get an error 23 but it still stops. output. I've googled
error 23 for w32time but i can't seem to find what it might be hinting at.
What might i have configured incorrectly? And how might i resolve it?
EDIT: I don't have a GPOs for NTP either.
20 Comments
Give Award
Share
UnsaveHideReport
77% Upvoted
Comment as aarondeep09

COMMENT
Markdown mode
SORT BY
BEST
level 1
pertymoose
10 points·5 days ago
/manualpeerlist:0.uk.pool.ntp.org, 1.uk.pool.ntp.org, 2.uk.pool.ntp.org, 3.uk.pool.ntp.org
Wrong.
This is a space-delimited list and must be formatted as such:
"/manualpeerlist:0.uk.pool.ntp.org 1.uk.pool.ntp.org 2.uk.pool.ntp.org 3.uk.pool.ntp.org"
w32tm /config [/computer:<target>] [/update]
[/manualpeerlist:<peers>] [/syncfromflags:<source>]
[/LocalClockDispersion:<seconds>]
[/reliable:(YES|NO)]
[/largephaseoffset:<milliseconds>]
manualpeerlist:<peers> - sets the manual peer list to <peers>,
which is a space-delimited list of DNS and/or IP addresses.
When specifying multiple peers, this switch must be enclosed in
quotes.
ReplyGive Award
Share
ReportSave

level 2
--TheCakeIsALie--
3 points·5 days ago
yep, i found this recently. Loads of blogs explaining what to do use a comma separated list for this
(not sure why) but it doesn't work, it needs to be spaces, as per the documentation
ReplyGive Award
Share
ReportSave
level 2
reddit_user33
2 points·5 days ago
Thanks for correcting me. The peer list has been accepted, so I must have done it the way you
suggested.
ReplyGive Award
Share
ReportSave

level 2
DragonFive
1 point·5 days ago
How do you know this
ReplyGive Award
Share
ReportSave

level 3
pertymoose
1 point·4 days ago
Well, it says so when you do w32tm /help
But it's one of those things where if you've had a long struggle with it once only to find out after X
hours it's a stupid formatting issue, then you tend to remember it. Also it's a very common mistake.
ReplyGive Award
Share
ReportSave

level 4
DragonFive
1 point·4 days ago
Cool, thanks! I'm trying to learn more command line things. I do everything manually
ReplyGive Award
Share
ReportSave

level 1
bcrosby007
7 points·5 days ago
This isnt a vm, is it? If it is, make sure it isnt getting it's time from the host.
ReplyGive Award
Share
ReportSave

level 2
reddit_user33
3 points·5 days ago
There are no virtual machines on our system.
ReplyGive Award
Share
ReportSave

level 2
uptimefordays
cat herder
3 points·5 days ago
Ah the exciting world of providing your hosts time, if I had a nickel!
ReplyGive Award
Share
ReportSave

level 1
CataphractGW
Sr. Sysadmin
3 points·5 days ago
Check this out.
ReplyGive Award
Share
ReportSave

level 2
reddit_user33
1 point·5 days ago
Thanks, I'll have a look through to see if there is anything unusual.
ReplyGive Award
Share
ReportSave

level 1
RagnarTheRagnar
2 points·5 days ago
Based on that error you got. I would run windows updates, SFC scannow and a hard reboot.
Shouldn't be getting an error turning off that service.
ReplyGive Award
Share
ReportSave

level 1
kifaru_
2 points·5 days ago
I had this issue at a small company we deal with on an ad-hoc basis very recently. Someone had the
genius idea to install a bit of software called Net Time on the PC and that was using port 123 . Might
not be the same issue but make sure that the PID listening on port 123 isn't some random
application. You can run netstat -ano | find "123" to try and figure out what is using that port.
ReplyGive Award
Share
ReportSave
level 2
reddit_user33
2 points·5 days ago
Nice suggestion. Thanks
ReplyGive Award
Share
ReportSave

level 3
kifaru_
1 point·5 days ago
You're welcome. This had me going in circles for a while so hopefully it can help you solve it quicker!
ReplyGive Award
Share
ReportSave

level 1
ringsthelord
2 points·5 days ago
Do you have ONLY one server? If so time is the least of your concerns.
ReplyGive Award
Share
ReportSave

level 2
reddit_user33
3 points·5 days ago
I've raised it in the past. Along with the fact that we don't have a real backup system set up. Or even
the fact that I'm not a system administrator, yet I've been given the role because I'm good with
computers.
I'm guessing what your next words will be and...sigh, I know. :/
ReplyGive Award
Share
ReportSave

level 1
MrMeowMittens
1 point·5 days ago
How far off is the time on the device that won't sync?
ReplyGive Award
Share
ReportSave

level 2
reddit_user33
1 point·5 days ago
More than 5 minutes. The last time it sync'd was last year.
ReplyGive Award
Share
ReportSave

level 3
MrMeowMittens
1 point·5 days ago
The drift is probably too great and it's bailing out. Try from an elevated command prompt
w32tm /resync
If that doesn't work, manually get the time into this decade and try again
ReplyGive Award
Share
ReportSave

OAuth — Open Authorization

66 Comments

Give Award

Share

UnsaveHideReport

99% Upvoted

Comment as aarondeep09

COMMENT
Markdown mode
SORT BY

BEST
View discussions in 3 other communities

level 1
mrturt

73 points·6 days ago

Nice guide, but unfortunately out of date :-( Implicit Grant flow should be forgotten and replaced with
PKCE flow.
ReplyGive Award

Share

ReportSave

level 2
apatheticonion

8 points·6 days ago

It's been a little while since I have touched OAuth. We were using implicit flow in a web application to
authenticate (no refresh token).
This had the advantage of allowing us to refresh without using a refresh_token by creating an
invisible iframe which navigates to the OAuth login portal then bounces back with an id_token.
This meant the OAuth server domain and the OAuth http server was responsible for all user session
persistence and the web application would only every have a temporary token which it would extend
just before it's expiry.
Is such a thing possible with PKCE?
ReplyGive Award
Share

ReportSave

level 3
gfunk84

9 points·6 days ago

Yep still possible to use a hidden iframe to renew without refresh tokens by using authorization code
and PKCE.
ReplyGive Award

Share

ReportSave

level 4
CharlitoContos

4 points·5 days ago·edited 15 hours ago

Keep in mind, some browsers such as safari are now blocking iframes by default. Same with 3rd
party cookies.
ReplyGive Award

Share

ReportSave

level 5
DanteIsBack

1 point·4 days ago

So does this mean this type of auth will not work on safari?
ReplyGive Award

Share

ReportSave

level 6
CharlitoContos

1 point·4 days ago

It depends on how you handle the session. Some IdPs offer ways around this issue using refresh
token rotation. Refresh token rotation allows you to use a refresh token in a SPA. Each time you use
the refresh token it becomes obsolete and a new one is returned with your access token. I've used it
in a personal project where Auth0 acts as the IdP.
OAuth Spec
Auth0 Refresh Token Rotation
ReplyGive Award

Share

ReportSave

level 5
headyyeti

0 points·21 hours ago

Keep in mine
r/boneappletea
ReplyGive Award

Share

ReportSave

level 6
CharlitoContos

1 point·15 hours ago

Typo on mobile 🙄
ReplyGive Award

Share

ReportSave

level 2
devtotheops09

-6 points·6 days ago5 children

level 1
GuyWizStupidComments

56 points·6 days ago

Thank you! Struggling on mobile...😅

ReplyGive Award

Share

ReportSave

level 2
UltraChilly

40 points·6 days ago

It's actually only marginally easier to read on desktop :p

ReplyGive Award

Share

ReportSave

level 3
papasmurph

13 points·6 days ago

Just now reading it on a rotated screen, but yes, the font and using italics don't help readability.
Also, this describes specifically how Twitter uses OAuth. I've seen many variants, possibly not
compliant, but I have to support them anyhow.
ReplyGive Award

Share

ReportSave

level 3
Heretic911

13 points·6 days ago

Yup, it's the font that makes it way too hard to read :/
ReplyGive Award

Share

ReportSave

level 3
mecheart4

1 point·5 days ago

It's fine if you open the image in a new tab by itself, and zoom and scroll with a mouse.
- You can middle-button click (the scroll wheel is often a button!) to open links (images!) in tabs
alone.
- You can hold pressed down that middle-button and drag the mouse every direction to scroll.
Further == Faster.
- In Chrome (left-)click once to zoom in/out images alone.
This way you don't have to worry about the image fighting the rest of the page layout, and the
processing overhead slowness. I've done this about a million times over the years, daily. Highly
recommend.
Sometimes lots of dense information may not be best suited to images though, or perhaps needs
more effort to overcome such readability concerns, and this format would be more annoying on
mobile for sure.
ReplyGive Award

Share

ReportSave

level 4
UltraChilly

1 point·5 days ago

Just crtl scroll (or ctrl+/-) to find a size that fits your screen and is comfortably legible instead of
struggling with middle button scroll TBH (who does that, are you, like, insane or something? :p)
But it's not that much more comfortable than pinching on a mobile, is what I meant.
ReplyGive Award

Share

ReportSave

level 1
jsilva31

28 points·6 days ago

Great visual, thank you.

ReplyGive Award

Share

ReportSave

level 1
mkmllr

29 points·6 days ago

I just came across this video today that explained OAuth 2.0 and OpenID Connect pretty well and in
plain simple English, I found it helpful.
ReplyGive Award

Share

ReportSave
level 2
aeritheon

3 points·5 days ago

thanks for linking this! really good explaination

ReplyGive Award

Share

ReportSave

level 2
alexklaus80

2 points·5 days ago

Man this was the most productive 60 minute this year. Thanks a lot for sharing!! This dude explained
everything and more than I could ask for.
ReplyGive Award

Share

ReportSave

level 1
Jim-Y

12 points·6 days ago

In the authorization code grant flow in step1 the URL should be /authorize instead of /token. In oauth
terminology /token is the token endpoint and /authorize is the authorization request endpoint
ReplyGive Award

Share

ReportSave

level 1
tigereyes00

3 points·6 days ago

Great process visual - is this flow tailored for Jwt/SAML token or is it pretty agnostic?
ReplyGive Award

Share

ReportSave

level 2
Iklowto

3 points·6 days ago

It's agnostic with regards to the specific token as long as the token itself carries all the information
the resource server may need to authorize access without knowing anything about the user making
the request beforehand
ReplyGive Award

Share

ReportSave

level 3
JeffLeafFan

2 points·6 days ago

So, if it was a JWT, it’d just need the user id? What other methods could you use aside from JWT?
Just don’t have much experience here.
ReplyGive Award

Share

ReportSave

level 4
Iklowto

1 point·6 days ago

No worries, it gets complicated quickly. One of the things that JWT and OAuth in general
accomplishes is that JWTs encode all information the server could possibly need to verify that the
user is who they say they are.
JWTs encode the request itself (e.g. "Give me the email address of this user"), the requester's
claims (e.g. "I am the admin of the site and I have admin rights"), and all of this is hashed using a
secret string that only the authentication server knows what is. So if the authentication server can't
decrypt the JWT into usable info, it's not a valid token.
Usually a server would authenticate users with server sessions - essentially keeping a state for
every user. But since JWTs pretty much contain all the information we could ever need for
authenticating a user and their request, we don't need the server to maintain a state - in fact, we
don't need the server that the user is making a request to to be able to authenticate the request at
all. Another server can do that - be it your own authentication server, GitHub's, Twitter's, etc.
ReplyGive Award

Share

ReportSave
level 5
kalanosh

4 points·5 days ago

Just to correct. JWT are decodable by anyone. Grab a JWT from somewhere and go to JWT.io
So if a server can extract information from a token is not how you verify jwt. Instead that signature is
attached to the token. Then either a public or secret key is used to verify it.
For public verification like auth0 they store public keys and typically just tell the library where to look.
Like jwt-express. But the info in the token can be decoded without the keys.
ReplyGive Award

Share

ReportSave

level 6
Iklowto

1 point·5 days ago

Right, of course. Guess I was tired when I wrote it, thank you for the clarification!
ReplyGive Award

Share

ReportSave

level 5
BHSPitMonkey

1 point·6 days ago

It's worth keeping in mind that the stateless JWT flow you described requires you to think of some
extra mechanisms if you need the ability to revoke tokens you've already issued, e.g. in response to
accounts you suspect have been compromised after the fact.
ReplyGive Award

Share

ReportSave

level 1
WhiteRau

3 points·6 days ago

nice. great visualization. thank you!

ReplyGive Award

Share
ReportSave

level 1
rainbowburst09

3 points·6 days ago

Many thanks!
ReplyGive Award

Share

ReportSave

level 1
MedicOfTime

3 points·6 days ago

As someone who struggles with this every time, I’m saving this.
ReplyGive Award

Share

ReportSave

level 1
aplawson7707

3 points·6 days ago

Effing THANK YOU. I'm a new developer learning the ropes in a company that rolled the dice on me
and is teaching me as I go. I asked my boss to explain OAuth to me the other day and he's a great,
thorough teacher - but I was really struggling to understand the process and how it's implemented.
This was so so helpful to me. Thank you.
ReplyGive Award

Share

ReportSave

level 1
Lumberfox

8 points·6 days ago

Awful font tbh

Edit: thanks for the visual, though!
ReplyGive Award

Share
ReportSave

level 1
InfiniteBlink

2 points·6 days ago

That helped. Thanks person!

ReplyGive Award

Share

ReportSave

level 1
Moony394

2 points·6 days ago

This is amazing time to save this and never look at it again. Seriously though, this is really helpful.
Thank you
ReplyGive Award

Share

ReportSave

level 1
TheEvilMonkeyDied

1 point·6 days ago

Great visualization!
ReplyGive Award

Share

ReportSave

level 1
Midas5k

1 point·6 days ago

I’m on mobile so maybe missed it but what is the difference between the versions like 1.0 and 2.0?
ReplyGive Award

Share

ReportSave

level 1
SuuperNoob

1 point·6 days ago

Why do I feel like I've always been using #2 (with a token)?

ReplyGive Award

Share

ReportSave

level 1
pragyan52yadav

1 point·6 days ago

Thanks a lot for this.

ReplyGive Award

Share

ReportSave

level 1
johnthevillian123

1 point·6 days ago

Thanks for the great diagram. I like how many websites are starting to use OAuth as a way to login
(e.g. Google, Apple, Microsoft, GitHub) since it makes it so much safer and easier to login. You don’t
have to worry about coming up with a new password, forgetting your password, 2-factor auth, and all
sorts of stuff. And if you are already signed in to one of the OAuth servers, no need to login again!
ReplyGive Award

Share

ReportSave

level 2
Isvara

1 point·5 days ago

so much safer
Now only one credential has to be compromised to gain access to multiple sites.
ReplyGive Award

Share

ReportSave

level 3
ChypRiotE

1 point·5 days ago

True, but this one credential can now be extra complex because that's the only one you need to
remember. Obviously you're still exposed to a failure from the oauth provider, bjt that's far less likely
to happen to Google rather than a site implementing it's own auth
ReplyGive Award

Share

ReportSave

level 2
Jim-Y

1 point·5 days ago

Just to make sure, for authentication no service should use OAuth2 but OpenID Connect which is an
extension for OAuth for authentication. This is a common misconception that OAuth in itself is ok for
authn.
ReplyGive Award

Share

ReportSave

level 1
reptilianparliament

1 point·5 days ago

What's the difference between a token and a code?

Also, if the second server passes back the client_id and client_secret at step 9 what's the point of
steps 10-14? What are they validating?
Also thanks for this! :)
ReplyGive Award

Share

ReportSave

level 1
5225225

1 point·5 days ago

Question: is there anything preventing a browser from just redirecting you to a phishing site when
you click 'log in with X'?
Seems like that'd be a more effective attack than a direct link to it which seems to be how most
phishing attacks go, since people would probably be less likely to notice the URL. Or even keep you
on the same site and make it look legitimate, as if you're meant to be there.
ReplyGive Award

Share

ReportSave

level 1
cesarcneto

1 point·5 days ago

Great stuff! But I've got a question and I didn't find the answer in the comments. What is the tool you
user to design this? Thanks!
ReplyGive Award

Share

ReportSave

level 1
TheRedGerund

1 point·5 days ago

Only added detail I might suggest is that the state parameter is often used to prevent CSRF attacks
ReplyGive Award

Share

ReportSave

level 1
MMPride

1 point·5 days ago

This is neat, thanks for sharing. A more readable font would have been better probably.
ReplyGive Award

Share

ReportSave

level 1
barbablanca9711

1 point·5 days ago

Great post! Very straightfoward, yet complete

ReplyGive Award

Share

ReportSave

level 1
DreamingDitto

1 point·5 days ago

So should there be one token for every client login?

What if your app itself needs to be authorized by your client? For example, if a client wants a pay
portal using the PayPal API. The client’s PayPal account needs credentials before generating the
authorization code. This will generate a token which can be used to deposit a payment into the
client’s account.
Does this need to be be refreshed periodically or with every call/session?
I feel as though it wouldn’t be per session because it would make sense that only one token can be
valid at a time per authorization code.
That said, where would these tokens generally be stored, in the database?
ReplyGive Award

Share

ReportSave

level 1
radiantshaw

1 point·5 days ago

We're trying to implement this in a two part app and are struggling. By two part app I mean that we
have a Rails API as a backend and then we have a React Native app which consumes the API. Can
it be implemented in a two part app? Has anyone done it before? If yes, then please could anyone
explain me how to do it?
ReplyGive Award

Share

ReportSave

level 1
Zandari

1 point·5 days ago

Does anyone have a folder saved of all these cool visuals? Like cheatsheets etc.
ReplyGive Award

Share
ReportSave

level 2
kamranahmed_se

2 points·5 days ago

I make them every other week. You can find them all at https://roadmap.sh/guides
ReplyGive Award

Share

ReportSave

level 3
Zandari

1 point·5 days ago

Exactly what i was looking for, cheers

ReplyGive Award

Share

ReportSave

level 1
xxspinalxx

1 point·5 days ago

Great info graphic thanks

ReplyGive Award

Share

ReportSave

level 1
UnderwaterPenguin

1 point·3 days ago

Can anyone explain the difference between an authorization code and a token?
The code is used to get the token, but why the extra step?
Is there a way to forcefully terminate a user's
active session in Windows AD?
We have around 200 users in our organization that authenticate to various applications (Jira,
Confluence, Splunk, Oracle tools, etc) within our network via LDAP using their Windows Active
Directory credentials. We have a centralized Active Directory on Windows Server 2016. We have
various contractors that also work for us, and they are leveraging their own company laptops to
access our network as well.
To access any of these tools, one would need to be within the company VPN.
One of the use cases that I'm attempting to fulfill is around immediate AD session/connection
termination which would primarily come into play if an individual was fired. While only disabling the
individual's AD account would prevent them from authenticating to any new applications, I don't
believe that action would kill their existing sessions. For example, if they were logged into an AD-
governed application, such as Splunk or Jira, and their AD account was disabled, I don't believe that
their connection to Splunk/Jira would be immediately terminated.
Is there a way that our AD admins can force-terminate an AD session for a user?
12 Comments

Give Award

Share

UnsaveHideReport

100% Upvoted

Comment as aarondeep09

COMMENT
Markdown mode
SORT BY

BEST
level 1
mpd94

4 points·6 days ago

LDAP auth is kinda primitive nowadays. You'd be better off using something like SAML or OAuth.
Once you authenticate with LDAP there's no accounting, a cookie gets generated and you're logged
in until it expires or the site somehow triggers a reauth. You'd probably want to be able to disconnect
the VPN when the account is disabled and that should be easier than kicking the user out of the
other sites.
ReplyGive Award

Share

ReportSave

level 2
CCRyan40482

2 points·6 days ago

Just got a new job today with Home Depots IT Dept. and we still use LDAP too, plus a RMA token
for embedding into our Mobile Phones MAC address for SSO from our Mobile devices as well.
They said that once our phone is embedded with the token it's pretty much in there for good. I am
still learning the ropes (A+ certified , working on Net+ now) but that seems like some major security
issues should they fire a disgruntled Linux master lol.
ReplyGive Award

Share

ReportSave

level 3
Block944

1 point·6 days ago

Atlanta?
ReplyGive Award

Share

ReportSave

level 4
CCRyan40482

1 point·5 days ago

Yep!
ReplyGive Award

Share

ReportSave
level 2
hb3b

2 points·6 days ago

SAML SLO is not implemented consistently in most apps or in most IdPs.

OIDC: Most apps implement their own session management and don't hit an introspection endpoint
periodically to check validity.
One workaround is to have your offboarding logic call each individual app and expire user sessions.
Another is to stick all your web apps behind a reverse proxy and add some intelligent session
management logic there.
ReplyGive Award

Share

ReportSave

level 1
sup3rlativ3

1 point·6 days ago

The only Universal way would be to disable the ad account, drop the user session for the service
and when they go to authenticate again it would fail. You could potentially do this by rebooting the os
of the service host or possibly by restarting it's processes.
ReplyGive Award

Share

ReportSave

level 1
wmassingham

1 point·5 days ago

if they were logged into an AD-governed application, such as Splunk or Jira, and their AD account
was disabled, I don't believe that their connection to Splunk/Jira would be immediately terminated
This is correct, because those applications maintain a session. You'd need to talk to those
applications to terminate the session.
ReplyGive Award

Share

ReportSave

level 1
n8_sirly
-1 points·6 days ago

Locking out the user before you disable them (guess the password wrong 3 times) is a pretty
immediate way to make sure the user won't have anymore valid sessions. However, if the app only
checks the user once at login, that sounds like an app problem not an AD problem.
ReplyGive Award

Share

ReportSave

level 2
R-EDDIT

1 point·6 days ago

This sounds like urban legend, but it's not. First, lockout threshold will vary by organization, "three
strikes" is cute in a song about baseball but not best security/usability guidance now. The reason
locking an account would be different from disabling it is that it triggers a high priority replication, but
if you have change notification enabled (as you should) the difference isn't what it used to be. But
this just prevents new authentications from any DC, it doesn't kill any application sessions.
What benefit does Intune have over SCCM?

Discussion

And is it worth the headache to move over to it?

41 Comments

Give Award

Share

UnsaveHideReport

87% Upvoted

Comment as aarondeep09

COMMENT
Markdown mode
SORT BY

BEST
level 1
Reset_Assured

16 points·6 days ago

Intune can act as an extension of SCCM but it is by no means a replacement.

It depends on what you are looking for. Why not use a CMG? (If you have a csp managed tenant,
you cant use a CMG)
You mentioned for patching, Intune patching is just windows updates for business with a fancy
manager. You cant get full compliance reporting unless you dive into log analytics and Update
Compliance right now.
Autopilot is fantastic if your org is built for it.
ReplyGive Award

Share

ReportSave

level 2
machstem

2 points·5 days ago

All the Microsoft shills/consultants I've worked and spoken with try and convince you and your
bossmen that they're nearly identical, but still haven't come near it.
ReplyGive Award

Share

ReportSave

level 3
vferg

1 point·5 days ago

Same, they all are pushing it hardddd. We instantly have no interest with places that try selling us
what they want over what we asked them to show us. Basically everyones cloud based solution. I'm
not against intune, just how it's being pushed.
ReplyGive Award

Share

ReportSave

level 1
Comment deleted by user6 days ago

level 2
jasonsandys

MSFT Official

16 points·6 days ago

Having to punch inbound FW ports for your ConfigMgr MP

This is in no way required or recommended. The CMG role in ConfigMgr manages off-prem systems
without any changes or additions to the on-prem infrastructure.
managing WSUS storage for a SUP
Not sure what this means. You can certainly configure ConfigMgr managed clients to pull their
content from Microsoft Update if disk space is an issue. Also, WSUS itself in ConfigMgr uses little to
no disk space.
machine resets via Intune
Device provisioning is not part of Intune but is in fact an entirely different service: Autopilot. Autopilot
without Intune is arguably useless, but they are in fact separate services.
It opens a pathway to desktop analytics.
Desktop Analytics is unrelated to Intune or co-management.
Better Together is the strategy for MEM: https://home.configmgrftw.com/better-together/
ReplyGive Award

Share

ReportSave

level 3
NeverLookBothWays

3 points·6 days ago

Hah I’ll just wait for you to comment from now on ;)

Thanks Jason!
ReplyGive Award

Share

ReportSave

level 4
jasonsandys

MSFT Official

5 points·6 days ago

Sorry, I meant to add a comment on the end of that post (but Reddit is having issues for me today)
that I'm not trying to be mean and I'm certainly not trying to stifle the conversation as it's a totally
valid one that everyone should be able to openly and freely participate in.
ReplyGive Award

Share

ReportSave

level 5
free_bawler
2 points·6 days ago

day) that I'm not trying to be mean and I'm certainly not trying to stifle the conversation as it's a
totally valid one that everyone should be able to openly and freely participate in.
Who is this and what have you done with Jason?
ReplyGive Award

Share

ReportSave

level 6
jasonsandys

MSFT Official

1 point·5 days ago

I don't think I've ever been outright mean to anyone. I'm often blunt for sure, and I do often value my
opinion over most other people's opinions (don't we all) so I can see folks having their delicate
feelings hurt -- which always baffles me. I think/hope I've always been open enough though to invite
discussion and conversation. And, shhh, don't tell my wife and kids, but I am wrong sometimes too.
😃😃
ReplyGive Award

Share

ReportSave

level 5
NeverLookBothWays

2 points·6 days ago

Nah understood completely...I would rather accurate information get to people as much as possible
and I immediately realized there were enough inaccuracies in my reply that it shouldn’t be seen as
good advice. Unfortunately it’s a matter of not being experienced enough (yet) with the cloud
offerings to speak as a mentor on it. (my strengths are moreso on the onprem stuff...and even then,
there is always more to learn). So I yield to the more knowledgeable! :)
I’m also just joking about the waiting for you to comment part. My first thought was, “oh crap, he’s
right!”
ReplyGive Award

Share

ReportSave

level 6
gemack127
0 points·6 days ago

This is typical of most people who fail to look at the product roadmap and the full details on the
SCCM product family. Intune Autopilot is just a poor man's version of SCCM and set to be an
extension of the on premise SCCM
ReplyGive Award

Share

ReportSave

level 7
jasonsandys

MSFT Official

2 points·6 days ago

I would never ever characterize it this way. That is certainly not the vision, intent, or design either.
There is certainly some overlap in purpose operational functionality but there are many difference
and distinctions that allow the entire suite to be flexible and adaptable to didn't scenarios and
customer challenges. In general, as noted, the various pieces of MEM are meant to be
complementary though.
If you are used to and require the full-featured functionality in ConfigMgr and you are attempting to
move to Intune, then it could certainly be viewed as a step-down though as Intune is meant to be
lighter. It's not "worse" it's just a different approach to management similar to how mobile devices are
managed. This may or may not be sufficient for your org and its requirements -- that's for each org to
determine. Or, you can of course have the best of both worlds by using co-management. Better
Together!
ReplyGive Award

Share

ReportSave

level 8
gemack127

-1 points·5 days ago

Before making partial statements please read the following link I never said worse.. I said poor-
man's which means limited in rich features. Both SCCM and Intune Autopilot are part of the Endpoint
Management Suite. My statement still stands as I am a present consultant for both products.
Based on my 24 years of IT experience, I strongly believe that they will eventually become one
product. Please read the details below. Enjoy.
https://docs.microsoft.com/en-us/mem/endpoint-manager-overview
ReplyGive Award
Share

ReportSave

level 9
NeverLookBothWays

1 point·5 days ago

Even so, there are a set of things Intune can do for Windows 10 that ConfigMgr really cannot (or at
least cannot do easily). So Intune is not really so much a cheaper version of ConfigMgr (functionally
that is) as it is it's rather it's own unique "modern management" approach to Windows 10. (and
cheaper..hah)
I kind of feel we are already there in that they are one product with MEM. But that said, you could be
right as all it would take would be to develop additional mechanisms in Intune, and viola, could have
feature parity. And as much as I love ConfigMgr (been administering a site since it was named SMS)
I would probably jump over if that happens...mainly to reduce complexity. To me, ConfigMgr is great,
but has somewhat of a heavy xmas tree problem (eg. it has been iterated on so much with now
ornaments that it kind of leans to the side.)
ReplyGive Award

Share

ReportSave

level 10
gemack127

1 point·5 days ago

I agree with the heavy xmas tree. I hope the two get merged with a flavor of Advanced (Full SCCM)
vs Simple (Intune Advanced). I say cheaper because to rumor is that SCCM is priced out of reach
which it isn't if you understand how the licensing works.
ReplyGive Award

Share

ReportSave

level 10
jasonsandys

MSFT Official

1 point·5 days ago

to develop additional mechanisms in Intune, and viola, could have feature parity.
This will never happen (I know, never say never). Intune is, as noted, a different tool. Feature parity
is not anywhere in the design goals or vision. It is not a replacement for ConfigMgr and is not meant
to be.
ReplyGive Award

Share

ReportSave

Continue this thread 

level 9
jasonsandys

MSFT Official

1 point·5 days ago

First, as I always note, open discussion is fabulous and I am in no way attempting to discount
anyone's voice or opinion as we are all entitled to both.
As for the comments, as noted, it's different whether it's feature set is "limited" is a qualitative
evaluation compared to a pre-conceived set of requirements. Autopilot and Intune are built for
organizations with a different set of requirements which in general are characterized as "modern".
Whether these fit a specific organization's requirements and desires is up to that organization. It's
not about being worse, poor, or any other direct comparison, they are just different and have
different approaches which include "modern" scenarios. That in no way implies that modern is
defined by the tool though, it just implies that you need to use the right tool for the right job.
There is a clear convergence of the technologies and products, that's the entire reason we created
the MEM suite. However, what truly happens in the next 10 years is anyone's guess. At this time,
there is no planned single master product or service; however, as noted, there is a clear direction
and unified vision (Better Together) for all of the products and services in the suite and that's to
make them work seamlessly together so that they each complement the other and provide full (or as
full as possible) coverage for the many varying customer requirements and scenarios.
I'm not here to compare resumes or belittle anyone in any way, so please let's not start a measuring
contest.
ReplyGive Award

Share

ReportSave

level 1
bdam55

Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com)

9 points·6 days ago

The biggest benefit to Intune is the lack of on-prem infrastructure. ConfigMgr is a beast in terms of
all the pieces you need to install, configure, and (most crucially) maintain. You intrinsically become a
web and SQL server specialist.
The trade-off is the edge cases. ConfigMgr has almost a two decade head start on supporting edge
cases that may seem weird to you but are show-stoppers for someone else.
My 10,000 foot impression remains the same: If you are a small to medium business (<=3000
clients) you have to argue why Intune can't work for your org (and there are legit reasons). My first
gig was at a company with two locations and 200 devices. What I would have given to have
something like Intune.
ReplyGive Award

Share

ReportSave

level 2
Reset_Assured

3 points·6 days ago

A smaller company going to intune is a no brainer. For a larger company, you really need a reason
to make that transition. And those are organizational decisions such as shipping devices and help
desk support.
ReplyGive Award

Share

ReportSave

level 3
Obvious-Trouble

1 point·5 days ago

You intrinsically become a web and SQL server specialist.

Any tips or resource I can look up to on how to get better at this? It's my Achilles' heel and I just
inherited the infrastructure. :) Thanks
ReplyGive Award

Share

ReportSave

level 4
bdam55

Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com)

1 point·2 days ago

Wait for it to break, Google search error codes, repeat.
ReplyGive Award

Share

ReportSave

level 2
ioan_popovici

1 point·2 days ago

Intune is nice and all but we have like 8k servers. Would be really hard to migrate those especially
when intune does not support servers :))
I think that for now Intune meant to supplement MEMCM and vice-versa. I said for now, because MS
has definitely shifted gears towards the cloud.
ReplyGive Award

Share

ReportSave

level 3
bdam55

Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com)

1 point·2 days ago

Right, if you've got a huge server farm things look totally different.
Though, for some people the server licensing is just absolutely stupidly expensive (>1k/year). It
might be worth splitting it up into 'easy' Intune for workstations and literally any other solution for
your servers. Azure Automation is a real thing though with that kind of server presence that probably
doesn't cut it.
ReplyGive Award

Share

ReportSave

level 4
ioan_popovici

1 point·1 day ago

Yes, there is no clear cut answer for now. It depends on the need. We also have about 15k
workstations managed with the same MEMCM instance. Having both servers and workstations in
the same instance does have its advantages. Co-management is the way to go for us and we are
looking into intune. The main problem are the licenses. It’s not exactly clear to me what licenses do
we need. In one document it states that if you have configmgr you just need one license and intune
is ‘free’. In the other it says that you need a e3 license for every machine or user.
From what I gather you can use intune with co-management but you can’t onboard directly with
intune on the ‘free’ model.
Another thing would we desktop analytics which was previously free. With new ‘improved’ and
‘simplified’ licensing model this is no longer the case, you need to buy licenses.
Anyway we’ll figure this out soon I hope. I really want to start using intune this year!
ReplyGive Award

Share

ReportSave

level 5
bdam55

Admin - MSFT Enterprise Mobility MVP (damgoodadmin.com)

1 point·1 day ago

From what I gather you can use intune with co-management but you can’t onboard directly with
intune on the ‘free’ model.
Right, there's been a lot of discussion on this and a couple of long threads on the MVP mailing list. If
you have absolutely no other Azure licensing then co-management really doesn't work. The big
sticking point is the Azure AD Premium requirement which is needed to light up the ability for
ConfigMgr to auto-enroll the device in Intune. There's a few 'missing' features too, the biggest one
being Autopilot. High level, the idea is that the ConfigMgr 'free' license assumes you're coming from
ConfigMgr to Intune, not from Intune (autopilot, user-initiated registration) to ConfigMgr.
ReplyGive Award

Share

ReportSave

level 6
ioan_popovici

1 point·1 day ago

We have Azure AD premium. That’s what I am not clear about and our license consultants really
suck.
So if I we have Azure AD premium and configmgr licenses do we still need e3 licenses for every
device if we are not enrolling from intune?
I want at least to have co-management for now, until I can convince management to get intune
licenses....
ReplyGive Award

Share
ReportSave

level 1
flercemel0n

5 points·6 days ago

They both have their benefits and caveats.

Logging in intune sucks. Bad. What went wrong? Guess away...
ReplyGive Award

Share

ReportSave

level 1
redog

5 points·6 days ago

Lack of infrastructure to maintain.

Simplified remote management.
I'm in love with proactive remediation even if it's not powerful as SCCM remediation.
Intune makes you wait on things for much longer though...that's certainly been a difficult transition for
myself. Advanced threat protection is pretty nifty too.
ReplyGive Award

Share

ReportSave

level 1
whoelse_

3 points·6 days ago

If you've got a lot of servers and mobile users with an existing o365 preesence, comanagement
(intune+sccm) might be worth looking into.
intune doesnt do servers (yet).
ReplyGive Award

Share

ReportSave

level 1
sccmhatesme

3 points·6 days ago

My org is going to be implementing intune along side SCCM.
We won't get rid of SCCM but we will leverage some of the newer capabilities of intune.
My main focus and part in the project is configuring autopilot with the goal of zero touch deployments
of new machines to users around the states. Definitely excited to see how much I can automate this
process.
ReplyGive Award

Share

ReportSave

level 1
DWolvin

3 points·6 days ago

I was only a user of Intune on my last job, but knee deep in SCCM on this one. I can't think of any
benefit at all to Intune.
ReplyGive Award

Share

ReportSave

level 2
mynameisbaseer

3 points·6 days ago

Not even for patching?

ReplyGive Award

Share

ReportSave

level 3
jasonsandys

MSFT Official

3 points·6 days ago

Eye of the beholder. Which is easiest and best for you is for you to determine. This is the entire point
of co-management though: so that you can choose which workload is best managed by which
authority.
ReplyGive Award

Share

ReportSave
level 3
DWolvin

3 points·6 days ago

You can patch through both, I don't know if it's easier (but it's not hard in SCCM)
ReplyGive Award

Share

ReportSave

level 1
BigTex_1971

1 point·6 days ago

Autopilot for BYOD with Azure AD. Gamechanger for our company with offices throughout the world.
ReplyGive Award

Share

ReportSave

level 2
aperijove

2 points·6 days ago

This is the biggest benefit that we see with our customers. It's not without its challenges but if you
have significant global spread then being able to ship direct to the user is indeed a game changer.
I think the problem is that although the tech story from Microsoft is "better together" the marketing
pitch and everything from the TAMs is "cloud first, Intune is the future, ConfigMgr is the past". We
hear this all the time, same with SCOM, we get superb results for customers with SCOM as we do
with SCCM but if the customer has spoken to anyone from Microsoft you'd think that these products
were Windows ME.
ReplyGive Award

Share

ReportSave

level 2
RuleC

1 point·5 days ago

You register BYOD devices as Autopilot devices? Never seen this before as you are effectively
taking management ownership of the device away from the user.
ReplyGive Award
Share

ReportSave

level 1
gandraw

1 point·6 days ago

Don't look at Intune as a way to replace SCCM. Look at it as a way to manage systems for
companies that have looked at SCCM and decided not to go that way because it's too much effort.
ReplyGive Award

Share

ReportSave

level 1
BluRayofDeath

1 point·6 days ago

Where are just wait and see at the moment. One of our data centre tenants is going cloud everything
and that has been interesting. They're are small (<1000) so Intune/Autopilot/Azure seemed a good fit
for them.
The fun started with patching, when the latest Win10 feature update went down and BSOD every
one in the pilot (30 devices) due to AV problem, where as in SCCM had been set not to deploy it.
The patch had been deferred I think and a big assumption applied. They learnt a lesson -> pilot is
not production so treat it as such.
Autopilot has been fun, due to the security setup and networking. Installing apps afterwards has
been a pain, some have to be manual as Intune cant handle them, where as SCCM was fine (they
are not a basic install). Still I think it has promise.
ReplyGive Award

Share

ReportSave

level 1
senectus

1 point·5 days ago

dont pretend that you can choose not to use intune.

best approach is to acknowledge that it is inevitable, and PLAN the move. Best solution is typically
Co-Manage, preferably with a CMG.
Where do I go next?
I have been learning SQL and have found SQL Bolt to be great. I have also utilized the codecademy
class the covers much the same topics.
I think I have a decent grasp of these concepts. What is there to learn next? Or is it that there is less
to learn and more complex queries to put together? Any guidance on how to deepen my knowledge
or to advance my skills would be appreciated, but as I mentioned I am at a loss as how to continue.
Thanks.
2 Comments

Give Award

Share

UnsaveHideReport

100% Upvoted

Comment as aarondeep09

COMMENT
Markdown mode
SORT BY

BEST
level 1
iqueryyou

1 point·21 days ago

Test your skills in

SQLZoo
HackerRank
LeetCode
ReplyGive Award

Share

ReportSave

level 1
chris1666

1 point·11 days ago

From looking at codecademy before , Id dare say that youd have to complete the entire pro level
before you were deep into and on a professional level, and no I have not Im working with a different
program.
Also keep in mind the average intermediate SQL course is over 20 hours long and that's not with in
depth practice, just my 10 cents.
And as far as how to deepen your knowledge, big areas Im looking at are Transact sql and database
management.