Jump to content


All Activity

This stream auto-updates     

  1. Today
  2. did you try to restart the wds service and redist your boot images after doing the change ?
  3. Yesterday
  4. I have what is probably a dumb question. If I have a mandatory assignment, the reboot option is not shown unless System restart under User Experience is checked, correct? If so, if I check that and then check to suppress notification on Servers and Workstations under User Experience, the result will be the same as it would have been if I didn't check the System restart box, correct?
  5. hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.
  6. Last week
  7. Following off of HermanB's comment. We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values. Also, not enabling full disk encryption, just used space. All of it it working fine, but I was just thinking of having that management done by Config Mgr. My questions: -do we need to enable full disk encryption during the OSD for this to work? -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels. I'm more worried about new machines deployed and the OSD changes needed.
  8. if you want to remove choice then simply deploy the task sequence with a purpose of Required, but, be warned, be very careful about what collection you deploy any required task sequences too because they are Mandatory and can cause all sorts of issues if you get your queries wrong, or if you target a collection with many computers inside...
  9. Hi Everyone, My First Post Here For a while, I'm trying to find on the web some guidance for my lab, how to skip the task sequence selection window in WINPE and go straight to imaging -- Example Collection: Win10 -> Task sequence Win10 or Collection Server 2016 -> Task sequence Server 2016 The only tip I found was to to create a VBScript and apply in the Boot Image cscript AutoStartOSD.vbs Set DefaultOSDTS = CreateObject("Microsoft.SMS.TSEnvironment") DefaultOSDTS("SMSPreferredAdvertID") = "XXXXX" Any help will be appreciated Thank you !
  10. Hej Niall, this is my first post after many years following your great posts, so thank you for your great effort (Tack). Is there any limits on how many variables (options) to show in HTA? I'm struggling to make HTA show 6 language options, but it only shows 4 and the 4 are working fine. Please find some screenshots in the attached doc, as I said it only show the first 4 and not showing German and italian: OSName1 swedish OSName2 English OSName3 Frensh OSName4 Spanish OSName5 German OSName6 Italian What I'm doing wrong? Thank you in advance. ===================== Update (Resolved): I figured it out by myself, it was validation.js, thanks anyway
  11. did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting
  12. I'm trying to get Bitlocker set up in SCCM CB 1910. When I got to Client Management though the "Allow Recovery Information to be stored in plain text" is greyed out. Does anyone know why this might be the case? This is in a lab, first Bitlocker Policy. Many thanks
  13. you'd need to provide some actual context of what you are trying here and where it failed, can you tell us more about your problem ?
  14. 2020-02-12 18:16:46, Info SYSPRP ========================================================2020-02-12 18:16:46, Info SYSPRP === Beginning of a new sysprep run ===2020-02-12 18:16:46, Info SYSPRP ========================================================2020-02-12 18:16:46, Info [0x0f004d] SYSPRP The time is now 2020-02-12 18:16:462020-02-12 18:16:46, Info [0x0f004e] SYSPRP Initialized SysPrep log at C:\WINDOWS\system32\sysprep\Panther2020-02-12 18:16:46, Info [0x0f0054] SYSPRP ValidatePrivileges:User has required privileges to sysprep machine2020-02-12 18:16:46, Info [0x0f007e] SYSPRP FCreateTagFile:Tag file C:\WINDOWS\system32\sysprep\Sysprep_succeeded.tag does not already exist, no need to delete anything2020-02-12 18:16:46, Warning SYSPRP WinMain: File operations pending2020-02-12 18:16:46, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'GENERALIZE'2020-02-12 18:16:46, Info [0x0f005f] SYSPRP ParseCommands:Found supported command line option 'SHUTDOWN'2020-02-12 18:16:46, Info [0x0f003d] SYSPRP WinMain:Displaying dialog box for user to choose sysprep mode...2020-02-12 18:16:48, Info [0x0f00d7] SYSPRP WinMain:Pre-validing 'cleanup' internal providers.2020-02-12 18:16:48, Info SYSPRP RunDlls:Running platform actions specified in action file for phase 32020-02-12 18:16:48, Info SYSPRP SysprepSession::CreateSession: Successfully created instance with action file C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml, and mode <null>2020-02-12 18:16:48, Info SYSPRP SysprepSession::Validate: Beginning action execution from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml2020-02-12 18:16:48, Info SYSPRP SysprepSession::CreateXPathForSelection: Sysprep mode in registry is <null>2020-02-12 18:16:48, Info SYSPRP SysprepSession::CreateXPathForSelection: Processor architecture in registry is AMD642020-02-12 18:16:48, Info SYSPRP ActionPlatform::LaunchModule: Executing method 'Sysprep_Clean_Validate_Opk' from C:\Windows\System32\spopk.dll2020-02-12 18:16:48, Info CSI 00000001 Shim considered [l:125]'\??\C:\WINDOWS\Servicing\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.651_none_5f2896f458eff373\wcp.dll' : got STATUS_OBJECT_PATH_NOT_FOUND2020-02-12 18:16:48, Info CSI 00000002 Shim considered [l:122]'\??\C:\WINDOWS\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.651_none_5f2896f458eff373\wcp.dll' : got STATUS_SUCCESS2020-02-12 18:16:48, Error SYSPRP Sysprep_Clean_Validate_Opk: Audit mode can't be turned on if there is an active scenario.; hr = 0x800F09752020-02-12 18:16:48, Error SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'Sysprep_Clean_Validate_Opk' from C:\Windows\System32\spopk.dll; dwRet = 0x9752020-02-12 18:16:48, Error SYSPRP SysprepSession::Validate: Error in validating actions from C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml; dwRet = 0x9752020-02-12 18:16:48, Error SYSPRP RunPlatformActions:Failed while validating Sysprep session actions; dwRet = 0x9752020-02-12 18:16:48, Error [0x0f0070] SYSPRP RunDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x9752020-02-12 18:16:48, Error [0x0f00d8] SYSPRP WinMain:Hit failure while pre-validate sysprep cleanup internal providers; hr = 0x800709752020-02-12 18:16:48, Info [0x0f0052] SYSPRP Shutting down SysPrep log2020-02-12 18:16:48, Info [0x0f004d] SYSPRP The time is now 2020-02-12 18:16:48
  15. it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb Types of updates managed by Windows Update for Business Windows Update for Business provides management policies for several types of updates to Windows 10 devices: Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring. Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates. Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies. Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy. Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. Drivers (on/off): When "on," this policy will not include drivers with Windows Update. Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. Manage when updates are offered You can defer or pause the installation of updates for a set period of time. Defer or pause an update A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy. Category Maximum deferral Feature updates 365 days Quality updates 30 days Non-deferrable none Pause an update If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates. Select branch readiness level for feature updates The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: Windows Insider Program for Business pre-release updates Windows Insider Fast Windows Insider Slow Windows Insider Release Preview Semi-annual Channel for released updates Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy. Recommendations For the best experience with Windows Update, follow these guidelines: Use devices for at least 6 hours per month, including at least 2 hours of continuous use. Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. Make sure that devices have at least 10 GB of free space. Give devices unobstructed access to the Windows Update service.
  16. Can you choose what updates get approved? I didn't see it in the document. There have been instances where an update breaks some application and we have to delay applying it until we have it fixed.
  17. it's all documented here https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10 take a look at that and if you have any more questions then post back here
  18. You can configure it to allow controlled updates to clients that never connect to the domain or local network?
  19. Earlier
  20. you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr
  21. And to answer your last question: One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy). In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database. In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted. Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below What about compliance of your Bitlocker Management policy ? if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256, to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr, only after doing that would it register as compliant cheers niall
  22. what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?
  23. Hi Ya, MBAM-WEB empty on site Servers and MBAM > Admin client - no events.... Thank you Carl
  24. Hi All, We are experiencing a weird issue with BitLocker when re-installing existing Windows 10 1709 machines with Windows 10 1903. The machines are hybrid AD joined and the BitLocker recovery information is stored in Active Directory. During a new installation of the device with Windows 10 1903, the BitLocker key fails on storing the recovery information in Active Directory. After examining the Windows event log, it turns out the device is trying to store the recovery information in Azure AD. Is this new behavior of Windows 10 1903 and can we modify this behavior?
  1. Load more activity
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...