anyweb

hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

if you want to remove choice then simply deploy the task sequence with a purpose of Required, but, be warned, be very careful about what collection you deploy any required task sequences too because they are Mandatory and can cause all sorts of issues if you get your queries wrong, or if you target a collection with many computers inside...

did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

you'd need to provide some actual context of what you are trying here and where it failed, can you tell us more about your problem ?

it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb Types of updates managed by Windows Update for Business Windows Update for Business provides management policies for several types of updates to Windows 10 devices: Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring. Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates. Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies. Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy. Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. Drivers (on/off): When "on," this policy will not include drivers with Windows Update. Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. Manage when updates are offered You can defer or pause the installation of updates for a set period of time. Defer or pause an update A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy. Category Maximum deferral Feature updates 365 days Quality updates 30 days Non-deferrable none Pause an update If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates. Select branch readiness level for feature updates The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: Windows Insider Program for Business pre-release updates Windows Insider Fast Windows Insider Slow Windows Insider Release Preview Semi-annual Channel for released updates Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy. Recommendations For the best experience with Windows Update, follow these guidelines: Use devices for at least 6 hours per month, including at least 2 hours of continuous use. Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. Make sure that devices have at least 10 GB of free space. Give devices unobstructed access to the Windows Update service.

it's all documented here https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10 take a look at that and if you have any more questions then post back here

you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr

And to answer your last question: One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy). In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database. In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted. Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below What about compliance of your Bitlocker Management policy ? if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256, to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr, only after doing that would it register as compliant cheers niall

what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?

hi Neil Thanks for your guide it was very helpful! you are welcome. I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here

no timeline yet, thanks for the thanks, i still have 2 videos of my Bitlocker Management series to complete, then i'll get to it sorry for the delay but all this takes time

i'd recommend using the install.wim baked into the original media and not 'capture' fat images any more, it's quicker and will save you time and effort in the long run, why are you capturing images now anyway ?

It’s common knowledge, or at least should be, that certifications are the most effective way for IT professionals to climb the career ladder and it’s only getting more important in an increasingly competitive professional marketplace. Similarly, cloud-based technologies are experiencing unparalleled growth and the demand for IT professionals with qualifications in this sector are growing rapidly. Make 2020 your breakthrough year - check out this free upcoming webinar hosted by two Microsoft cloud experts to plan your Azure certification strategy in 2020. The webinar features a full analysis of the Microsoft Azure certification landscape in 2020, giving you the knowledge to properly prepare for a future working with cloud-based workloads. Seasoned veterans Microsoft MVP Andy Syrewicze and Microsoft cloud expert Michael Bender will be hosting the event which includes Azure certification tracks, training and examination costs, learning materials, resources and labs for self-study, how to gain access to FREE Azure resources, and more. Altaro’s webinars are always well attended and one reason for this is the encouragement for attendee participation. Every single question asked is answered and no stone is left unturned by the presenters. They also present the event live twice to allow as many people as possible to have the chance of attending the event and asking their questions in person! For IT professionals in 202, and especially those with a Microsoft ecosystem focus, this event is a must-attend! The webinar will be held on Wednesday February 19, at 3pm CET/6am PST/9am EST and at again 7pm CET/10am PST/1pm EST. I’ll be attending so I’ll see you there! Save your free webinar seat

what does details tell you ?

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment! thank you ! 1. it can be completely silent see > 2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance), MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.