Jump to content

All Activity

This stream auto-updates     

  1. Today
  2. Great thanks. I guess I'm looking for what the TS steps would be as well. Chris
  3. Yesterday
  4. you could follow this guide and it should populate your keys in configmgr's database https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25
  5. Yes correct. We have ConfigMgr 1910 working and I'm able to deploy to exisiting clients which then requires them to install. My question is how do you deploy this with bare metal /or inplace upgrade in a task sequence so MDOP/MBAM is already installed and the device is encrypted with ConfigMngr managing keys. Thanks Chris
  6. just to be clear, are you saying you want to have your OSD task sequences take care of Bitlocker Encryption and storage of the key in ConfigMgr 1910 with the bitlocker management feature enabled ?
  7. Hi All - We just completed setting up BitLocker management with 1910. We’re able to push the policy to the clients and install and the self service portal is all working. We aren’t currently using BitLocker so this a totally new deployment. My question is we are about to start a large roll out of new systems and I’m looking for documentation on how to set this up in our task sequence so that BitLocker is installed and turned on after imaging without end user interaction. I’ve done this at my previous job but we were not doing MBAM just storing keys in AD so this all new to me. I’ve poured through all of the tremendous information here but still seem to be missing this piece and need to start getting new systems into the wild. Any help would be greatly appreciated! Thanks! Chris
  8. Hi Niall, thanks for your reply. I did everything you mentioned, but now I got a really strange error message, when I try to load a report (via the browser URL to the Reportserver): A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.) I tried that from the Reportserver itself, which is hosted on the SCCM Primary Site (The SQL Server is also on that Server - Primary Site) I don't know why, because if I click on the lock in the browser to see the certificate and its chain, everything looks ok. Have you got an idea, what I did wrong ? Thanks in advance. Florian
  9. Last week
  10. hi Florian, I'd suggest you look inside the powershell script itself, and use switches based on that, here's a hint, post your results here. And as regards the Bitlocker Management websites being in SSL or not, Microsoft recommends but doesn't require the use of HTTPS for the Bitlocker websites (HTTPS is still required in CM1910 for the MP recovery service endpoint though) https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites
  11. Hi Niall, thanks for your reply. OK, I installed the Helpdesk and the SelfService on the Distribution Point. How can I now remove the old installation (Helpdesk and Selfservice) from the primary site ? Can you also tell me, if it is a must to set the ssl settings for both iis sites (Helpdesk and SelfService) to RequireSSL ? Thanks in advance. Florian
  12. it's covered in this video, simply point it to the servername where you intend those services to run and the command lines are here.
  13. Hi Niall, thanks for your quick reply. 1. Can you please post the commandlines I have to use for moving those roles to another server ? 2. If I understand correctly, I don't have to prepare something, because: - I am a full admin in Configuration Manager - My MPs are all HTTPs enabled - The reporting service point is on my primary site (here it can stay, or must it be also installed on the Distribution Point, where I want the Helpdesk and SelfService to be ?) - I only have to install the ASP.NET MVC 4.0 on the Distribution Point, where I want to host the SelfService and the Helpdesk, correct ? - My user is a sql sysadmin I would appreciate a quick answer. Florian
  14. you can move them by running the powershell script to install the helpdesk and self service desk on another site server, it must have IIS installed along with the prerequisites below In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager. To integrate the BitLocker recovery service in Configuration Manager requires a HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS. Note In version 1910, it doesn't support Enhanced HTTP. To use the BitLocker management reports, install the reporting services point site system role. For more information, see Configure reporting. Note In version 1910, for the Recovery Audit Report to work from the administration and monitoring website, only use a reporting services point at the primary site. To use the self-service portal or the administration and monitoring website, you need a Windows server running IIS. You can reuse a Configuration Manager site system, or use a standalone web server that has connectivity to the site database server. Use a supported OS version for site system servers. Note In version 1910, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site. On the web server that will host the self-service portal, install Microsoft ASP.NET MVC 4.0. The user account that runs the portal installer script needs SQL sysadmin rights on the site database server. During the setup process, the script sets login, user, and SQL role rights for the web server machine account. You can remove this user account from the sysadmin role after you complete setup of the self-service portal and the administration and monitoring website.
  15. Hi All, I have the following problem. Today, we have the SCCM CB1910 Bitlocker Selfservice and the Helpdesk on the SCCM Primary Site Server. Now, we want to move out, those mainly used services to another server (in our case a distribution server which is located in another data center). First: Is this possible, or must those services be located on a Primary Site ? Second: How can I get rid of the actual IIS Sites (Self Service and Helpdesk) or move them to another server ? Third: What are the prereqs, we have to do, before we move it to the other server (install additional roles, or something like that) I would appreciate a quick answer. Florian
  16. I think I solved it. I made the RamDiskTFTPBlockSize lower than normal...
  17. did you try to restart the wds service and redist your boot images after doing the change ?
  18. I have what is probably a dumb question. If I have a mandatory assignment, the reboot option is not shown unless System restart under User Experience is checked, correct? If so, if I check that and then check to suppress notification on Servers and Workstations under User Experience, the result will be the same as it would have been if I didn't check the System restart box, correct?
  19. hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.
  20. Following off of HermanB's comment. We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values. Also, not enabling full disk encryption, just used space. All of it it working fine, but I was just thinking of having that management done by Config Mgr. My questions: -do we need to enable full disk encryption during the OSD for this to work? -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels. I'm more worried about new machines deployed and the OSD changes needed.
  21. if you want to remove choice then simply deploy the task sequence with a purpose of Required, but, be warned, be very careful about what collection you deploy any required task sequences too because they are Mandatory and can cause all sorts of issues if you get your queries wrong, or if you target a collection with many computers inside...
  22. Earlier
  23. Hi Everyone, My First Post Here For a while, I'm trying to find on the web some guidance for my lab, how to skip the task sequence selection window in WINPE and go straight to imaging -- Example Collection: Win10 -> Task sequence Win10 or Collection Server 2016 -> Task sequence Server 2016 The only tip I found was to to create a VBScript and apply in the Boot Image cscript AutoStartOSD.vbs Set DefaultOSDTS = CreateObject("Microsoft.SMS.TSEnvironment") DefaultOSDTS("SMSPreferredAdvertID") = "XXXXX" Any help will be appreciated Thank you !
  24. Hej Niall, this is my first post after many years following your great posts, so thank you for your great effort (Tack). Is there any limits on how many variables (options) to show in HTA? I'm struggling to make HTA show 6 language options, but it only shows 4 and the 4 are working fine. Please find some screenshots in the attached doc, as I said it only show the first 4 and not showing German and italian: OSName1 swedish OSName2 English OSName3 Frensh OSName4 Spanish OSName5 German OSName6 Italian What I'm doing wrong? Thank you in advance. ===================== Update (Resolved): I figured it out by myself, it was validation.js, thanks anyway
  25. did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...