anyweb

thanks I appreciate the kind words i'm not sure. i'm doing a bunch of videos currently on MBAM in SCCM 1910 CB and that's getting all my focus, but i will get to part 8, eventually

thanks for sharing, please do let me know how you get on with this.

But I can’t get to the web interface for /Reports in the start menu locate the SSRS Report Server Configuration Manager, and run it, you need to configure the Reports url in there and click apply.

no worries, before you ran the script did you confirm that SSRS was configured and working and that reports work in your console ? if not, go ahead and fix reporting, then re-run the script

hiya i didn't see that problem (see part 2 of my videos here) https://www.niallbrady.com/2019/12/10/learn-about-mbam-integration-in-microsoft-endpoint-configuration-manager-version-1910-part-2-configure-portals/ however i have one lab with the cert issue you reported on technet and your workaround didn't work for me, fyi cheers niall

thanks! yes you could check for the ip range that your network cables use (as opposed to wireless), and detect based on that, all networks are different so you'll have to customize it somehow to suit your environment cheers niall

can you post a screenshot of your error, I assume you are using my script on your primary server ?

thanks for the thanks,. first thing though, is your 1910 lab in HTTPS mode ? if not you cannot use MBAM integration, it must be in HTTPS mode. if you need help with https mode see the following links, i converted one of my labs from http to https yesterday using these guides, it's not that hard if you pay attention to the guides: *to learn how to setup PKI and convert MEM CM from HTTP to HTTPS see https://windows-noob.com/forums/topic/16252-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-1/ and then once complete, do this https://windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/

thanks Harley, i'll update it shortly ! as regards Part 8, it's on my ever growing to-do list, thanks for reminding me

This Holiday Season, Altaro is helping you out with your Holiday Shopping: they’re giving you the chance to WIN fantastic gifts that you can give to your loved ones! It’s no secret that Holiday shopping can be stressful and very time-consuming. So this year, whether you need a present for your partner, your children, your parents and in-laws, or your friends… Altaro’s got your back. Enter and share it on socials for a chance to WIN one of the Grand Prizes: a Holy Stone GPS FPV RC Drone HS100, an All-Access MasterClass pass, Lomography Lomo’Instant San Sebastian, an Echo Plus (Smart Home Hub), a Wii Console & Mario Kart for Wii, 2x Netflix Gift Cards of $100 each, and a JBL Clip Portable Waterproof Speaker. And guess what? For any eligible subscription they give you a guaranteed Amazon voucher! So, if you are a Hyper-V or VMware user, download Altaro’s VM Backup and follow the instructions you will find over here to WIN these exciting prizes! Good luck & Happy Holidays!

yes of course it's possible, and you've already figured it out

it looks like it's failing on the SCCM pre req files, i'm guessing the files it's downloaded are 0 bytes in size, can you check ? as it is the pre-reqs that are failing, can you delete them, and run the script again to download the pre-reqs, here it is.. <# # Download SCCM prerequisite files, 2019/4/23 Niall Brady, https://www.windows-noob.com # # This script: Downloads SCCM prerequisite files # Before running: Extract the SCCM Current Branch baseline version ISO to the $SCCMPath folder, eg: C:\Source\SCCM1902. Edit the variables as necessary (lines 17-19). # Usage: Run this script on the ConfigMgr Primary Server as a user with local Administrative permissions on the server #> If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] “Administrator”)) { Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!” Break } # below variables are customizable $SourcePath = "C:\Source" # where is the media ? $SCCMPath = "C:\Source\SCCM1902" $PrerequisitesPath = "$SourcePath" + "\SCCMPrereqs" # please don't edit below this line write-host "Starting SCCM prerequisites download script..." write-host "" # Check for SCCM source files write-host "Checking for ConfigMgr media in $SCCMPath..." -nonewline if (Test-Path "$SCCMPath\SMSSETUP"){ Write-Host "done!" -ForegroundColor Green } else { write-host "Error" -ForegroundColor Red write-host "Please extract the SCCM media to '$SCCMPath' and then try running this script again..." break} write-host "Checking for'$PrerequisitesPath' folder..." -nonewline # Check for prerequisites download path folder, if not present create it if (Test-Path "$PrerequisitesPath"){ Write-Host "done!" -ForegroundColor Green #write-host "The folder '$PrerequisitesPath' already exists, therefore this script will not download the prerequisites." } else { mkdir "$PrerequisitesPath" | out-null Write-Host "done!" -ForegroundColor Green # start the SCCM prerequisite downloader write-host "Downloading SCCM version prerequisite files..." -nonewline $filepath = "$SCCMPath\SMSSETUP\bin\X64\SETUPDL.exe" # remove /NoUI if you want to see the download progress UI $Parms = "/NoUI `"$PrerequisitesPath`"" $Prms = $Parms.Split(" ") Try {& "$filepath" $Prms | Out-Null} catch {Write-Host "error!" -ForegroundColor red break} Write-Host "done!" -ForegroundColor Green }

Introduction Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices (7,8 10) to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation and more. This is something that has been around for quite some years now and is working great, however, MBAM is currently it’s own separate solution. The following blog post from Microsoft details their future direction with regard to BitLocker Management and is a must read. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 The purpose of this blog post is to gather together previous guides I’ve written since it’s first release in Technical Preview 1905, which help you understand how to get started with MBAM integrated within Configuration Manager, what to expect on the client computers, using help desk functionality and finally running reports to get an overview of your compliance. Getting started with On-premises BitLocker management using SCCM How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” How does Key Rotation work in MBAM integrated with SCCM ? How can you use the Self Service feature when MBAM is integrated within SCCM? How can you use the Help Desk feature when MBAM is integrated within SCCM? A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager

Introduction Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time. Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included. A brief history of my MBAM reporting experiences in ConfigMgr In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below. Sadly however when I tried to run any of them I got an error, I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues. I continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues. First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR to have db_datareader on the CM database. And below is the user account in question. The above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did. Server side reports So let’s take a look at the reports for BitLocker Management in ConfigMgr. The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder). Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases. BitLocker Computer Compliance BitLocker Enterprise Compliance Dashboard BitLocker Enterprise Compliance Details BitLocker Enterprise Compliance Summary Recovery Audit Report BitLocker Computer Compliance When running the BitLocker Computer Compliance report you are prompted for a computer name. The BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer. After running you should get some data back, such as the below. Note: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data. BitLocker Enterprise Compliance Dashboard In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise. If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red. and after fixing my compliance issues… BitLocker Enterprise Compliance Details The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for Compliance Status Error Status Selecting the Compliance status option gives you further search criteria. as does Error status Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report. BitLocker Enterprise Compliance Summary The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection. I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary. and the same report looks like this when my devices are compliant Recovery Audit Report The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool. It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here. Client side report You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not. To view the report, click on View Report. The report below is from a client in non-compliant state. You can then drill down further into this report to see what’s the issue. Once you’ve resolved the compliance issues, it should register as complient such as in this xml So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time. Related reading https://www.niallbrady.com/2019/10/07/how-does-key-rotation-work-in-mbam-integrated-with-sccm/ https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/ https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

also, check your partition layout on Windows 7, you need to know exactly what you are dealing with in order to get it to work. Diskpart will be your friend in troubleshooting as will pause statements before, and after the mbr2gpt step.