Leaderboard

hi Shaq, the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required. but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless. cheers niall

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused. Even in this document you mentioned "Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below. Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)." But in the video as well as the comments you said SCCM should be in HTTPS mode. Could you please clarify? Thanks again for your detailed documentations.

everything inside the LAB should be on a private network, that way everything in the lab can talk to itself without interference from the outside, if you map a switch to a network card then that effectively gives your lab access to anything on that network and vice versa, so if your network card is connected say to your internal company network, and you set your switch to External, using your onboard NIC, then your dhcp server could start handing out ip's on your company network, and you don't want that. so keep your lab private, and only share internet into the lab using a smoothwall or similar. if you want to 'test' deploying things (like operating systems or otherwise) to computers outside of the lab, then follow my guide here

Thank you for the lab (up to part 6 its all working fine) Great to hear it ! Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 ) in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template then rename it to your needs and adjust it to suit the FW requirements and as for your other question, see this answer from Technet. According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA. My assumption is that if you set up a standalone, the templates will be loaded nevertheless. LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

Scrap that, forced inventory and it now seems to be working!

Thanks for this script/ solution. Thanks to this I learned a lot about how to do BitLocker with PowerShell from Intune MDM. I've added some functionality and made some fixes and design changes, but can't release all the code here due to the fact that I've done this for my company, and it's their IP. That being said, I'd like to share a fix to one part that failed for me some times: Fetching the certificate for uploading recovery password to Azure AD using REST. I rewrote it to this, might be usefull for others: # Get the AAD Machine Certificate $Certificate = $([array]$(Get-ChildItem -Path 'Certificate::LocalMachine\My').Where{$_.'Issuer' -match 'CN=MS-Organization-Access'}) $CertificateThumbprint = [string]$($Certificate | Select-Object -ExpandProperty 'Thumbprint') $CertificateSubject = [string]$([string]$($Certificate | Select-Object -ExpandProperty 'Subject').Replace('CN=','')) # Get tenant domain name from registry $TenantDomain = [string]$([string]$(Get-ItemProperty -Path ('Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\{0}' -f ($CertificateThumbprint)) -Name 'UserEmail' | Select-Object -ExpandProperty 'UserEmail').Split('@')[-1]) Offtopic: How do I set a profile picture? I've searched the forum and Google-ed it too.

Just wanted to follow up and let you know I have had great success utilizing your script.. the error checking is superb.. thank you for the work and troubleshooting you have done to vet your script.. you are a life saver!!

you are welcome, it was one of the more difficult thing I've gotten around to blogging, and I did it to understand the process better myself and to teach others, I've done the lab 3 times already and I know it works :-), if you follow the next in the series you can also configure SCCM with HTTPS, links below How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2