Jump to content


Root Admin
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by anyweb

  1. well you cannot have two different disk encryption methods at the same time so if you want to move to BitLocker (good choice) then you'll first need to completely remove whatever encryption that McAfee has put in place. Once that is done and the McAfee agent is removed you can enforce BitLocker easily with Configuration Manager, check out my blog post here for guidance. https://www.niallbrady.com/2019/11/13/want-to-learn-about-mbam-integrated-with-microsoft-endpoint-manager-configuration-manager/
  2. normally you should use service accounts, but in your case, your sccm login is probably what you need, try it...
  3. what account was used before with the database mentioned ?
  4. look in SQL under logins, see what logins are there, add your account as SQL SysAdmin if you are not sure what to do
  5. check the username/password specified in sql, that's where it's failing, see below snippet... ERROR: Failed to restore databases. $$<Configuration Manager Setup><12-13-2019 14:41:31.500+00><thread=3800 (0xED8)> *** [28000][18456][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'sitename\user'. cheers niall
  6. thanks I appreciate the kind words i'm not sure. i'm doing a bunch of videos currently on MBAM in SCCM 1910 CB and that's getting all my focus, but i will get to part 8, eventually
  7. But I can’t get to the web interface for /Reports in the start menu locate the SSRS Report Server Configuration Manager, and run it, you need to configure the Reports url in there and click apply.
  8. no worries, before you ran the script did you confirm that SSRS was configured and working and that reports work in your console ? if not, go ahead and fix reporting, then re-run the script
  9. hiya i didn't see that problem (see part 2 of my videos here) https://www.niallbrady.com/2019/12/10/learn-about-mbam-integration-in-microsoft-endpoint-configuration-manager-version-1910-part-2-configure-portals/ however i have one lab with the cert issue you reported on technet and your workaround didn't work for me, fyi cheers niall
  10. thanks! yes you could check for the ip range that your network cables use (as opposed to wireless), and detect based on that, all networks are different so you'll have to customize it somehow to suit your environment cheers niall
  11. thanks for the thanks,. first thing though, is your 1910 lab in HTTPS mode ? if not you cannot use MBAM integration, it must be in HTTPS mode. if you need help with https mode see the following links, i converted one of my labs from http to https yesterday using these guides, it's not that hard if you pay attention to the guides: *to learn how to setup PKI and convert MEM CM from HTTP to HTTPS see https://windows-noob.com/forums/topic/16252-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-1/ and then once complete, do this https://windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/
  12. This Holiday Season, Altaro is helping you out with your Holiday Shopping: they’re giving you the chance to WIN fantastic gifts that you can give to your loved ones! It’s no secret that Holiday shopping can be stressful and very time-consuming. So this year, whether you need a present for your partner, your children, your parents and in-laws, or your friends… Altaro’s got your back. Enter and share it on socials for a chance to WIN one of the Grand Prizes: a Holy Stone GPS FPV RC Drone HS100, an All-Access MasterClass pass, Lomography Lomo’Instant San Sebastian, an Echo Plus (Smart Home Hub), a Wii Console &amp; Mario Kart for Wii, 2x Netflix Gift Cards of $100 each, and a JBL Clip Portable Waterproof Speaker. And guess what? For any eligible subscription they give you a guaranteed Amazon voucher! So, if you are a Hyper-V or VMware user, download Altaro’s VM Backup and follow the instructions you will find over here to WIN these exciting prizes! Good luck &amp; Happy Holidays!
  13. yes of course it's possible, and you've already figured it out
  14. it looks like it's failing on the SCCM pre req files, i'm guessing the files it's downloaded are 0 bytes in size, can you check ? as it is the pre-reqs that are failing, can you delete them, and run the script again to download the pre-reqs, here it is.. <# # Download SCCM prerequisite files, 2019/4/23 Niall Brady, https://www.windows-noob.com # # This script: Downloads SCCM prerequisite files # Before running: Extract the SCCM Current Branch baseline version ISO to the $SCCMPath folder, eg: C:\Source\SCCM1902. Edit the variables as necessary (lines 17-19). # Usage: Run this script on the ConfigMgr Primary Server as a user with local Administrative permissions on the server #> If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] “Administrator”)) { Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!” Break } # below variables are customizable $SourcePath = "C:\Source" # where is the media ? $SCCMPath = "C:\Source\SCCM1902" $PrerequisitesPath = "$SourcePath" + "\SCCMPrereqs" # please don't edit below this line write-host "Starting SCCM prerequisites download script..." write-host "" # Check for SCCM source files write-host "Checking for ConfigMgr media in $SCCMPath..." -nonewline if (Test-Path "$SCCMPath\SMSSETUP"){ Write-Host "done!" -ForegroundColor Green } else { write-host "Error" -ForegroundColor Red write-host "Please extract the SCCM media to '$SCCMPath' and then try running this script again..." break} write-host "Checking for'$PrerequisitesPath' folder..." -nonewline # Check for prerequisites download path folder, if not present create it if (Test-Path "$PrerequisitesPath"){ Write-Host "done!" -ForegroundColor Green #write-host "The folder '$PrerequisitesPath' already exists, therefore this script will not download the prerequisites." } else { mkdir "$PrerequisitesPath" | out-null Write-Host "done!" -ForegroundColor Green # start the SCCM prerequisite downloader write-host "Downloading SCCM version prerequisite files..." -nonewline $filepath = "$SCCMPath\SMSSETUP\bin\X64\SETUPDL.exe" # remove /NoUI if you want to see the download progress UI $Parms = "/NoUI `"$PrerequisitesPath`"" $Prms = $Parms.Split(" ") Try {& "$filepath" $Prms | Out-Null} catch {Write-Host "error!" -ForegroundColor red break} Write-Host "done!" -ForegroundColor Green }
  15. Introduction Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices (7,8 10) to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation and more. This is something that has been around for quite some years now and is working great, however, MBAM is currently it’s own separate solution. The following blog post from Microsoft details their future direction with regard to BitLocker Management and is a must read. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 The purpose of this blog post is to gather together previous guides I’ve written since it’s first release in Technical Preview 1905, which help you understand how to get started with MBAM integrated within Configuration Manager, what to expect on the client computers, using help desk functionality and finally running reports to get an overview of your compliance. Getting started with On-premises BitLocker management using SCCM How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” How does Key Rotation work in MBAM integrated with SCCM ? How can you use the Self Service feature when MBAM is integrated within SCCM? How can you use the Help Desk feature when MBAM is integrated within SCCM? A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager
  16. Introduction Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time. Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included. A brief history of my MBAM reporting experiences in ConfigMgr In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below. Sadly however when I tried to run any of them I got an error, I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues. I continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues. First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR to have db_datareader on the CM database. And below is the user account in question. The above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did. Server side reports So let’s take a look at the reports for BitLocker Management in ConfigMgr. The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder). Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases. BitLocker Computer Compliance BitLocker Enterprise Compliance Dashboard BitLocker Enterprise Compliance Details BitLocker Enterprise Compliance Summary Recovery Audit Report BitLocker Computer Compliance When running the BitLocker Computer Compliance report you are prompted for a computer name. The BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer. After running you should get some data back, such as the below. Note: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data. BitLocker Enterprise Compliance Dashboard In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise. If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red. and after fixing my compliance issues… BitLocker Enterprise Compliance Details The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for Compliance Status Error Status Selecting the Compliance status option gives you further search criteria. as does Error status Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report. BitLocker Enterprise Compliance Summary The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection. I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary. and the same report looks like this when my devices are compliant Recovery Audit Report The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool. It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here. Client side report You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not. To view the report, click on View Report. The report below is from a client in non-compliant state. You can then drill down further into this report to see what’s the issue. Once you’ve resolved the compliance issues, it should register as complient such as in this xml So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time. Related reading https://www.niallbrady.com/2019/10/07/how-does-key-rotation-work-in-mbam-integrated-with-sccm/ https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/ https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329
  17. also, check your partition layout on Windows 7, you need to know exactly what you are dealing with in order to get it to work. Diskpart will be your friend in troubleshooting as will pause statements before, and after the mbr2gpt step.
  18. No don't do that, you can use the following Cumulative Update instead (it's current). https://download.microsoft.com/download/C/4/F/C4F908C9-98ED-4E5F-88D5-7D6A5004AEBD/SQLServer2017-KB4515579-x64.exe to find the cumulative update download link i do as follows, I google a phrase like "download sql server 2017 cumulative update" and click on the Microsoft link, it'll show a page like this.. then I click on download to download it, while it's downloading the page has changed, right click on it and choose View Source, in the page source, search for download.microsoft.com and you'll get your download link.
  19. if you have no good backups then you are out of luck, i assume by encrypted you mean it has Ransomware encryption of some sort that has run rampant over your two (or more) servers, encrypting random files. If so you need to start fresh and make sure to focus on security this time, do you have any idea why it got infected before ? and why are there no good backups, that's a recipe for disaster by starting fresh i mean a complete server reinstall for each affected server, you must be 100% sure that there are no infected files lingering or you will be back to square one... whatever you do, don't pay the ransom, doing that would mean that the authors will profit at your expense and they will build even worse ransomware which you may get infected with again in the future.
  20. ok can you grab the app*.xml files and setup*.log stored in the $windows.~bt\Sources\Panther location after the windows upgrade failure, zip them up and attach them here i'll take a look.
  21. Everyone who attends the webinar has a chance of winning a VMware VCP course (VMware Install, Config, Manage) worth $4.5k! Climbing the career ladder in the IT industry is usually dependent on one crucial condition: having the right certifications. If you’re not certified to a specified level in a certain technology used by an employer, that’s usually a non-negotiable roadblock to getting a job or even further career progression within a company. Understanding the route you should take, and creating a short, medium, and long term plan for your certification goals is something everyone working in the IT industry must do. In order to do this properly you need the right information and luckily, an upcoming webinar from the guys at Altaro has you covered! Fast Track your IT Career with VMware Certifications is a free webinar presented by vExperts Andy Syrewicze and Luke Orellana on November 20 th outlining everything you need know about the VMware certification world including costs, value, certification tracks, preparation, resources, and more. In addition to the great content being discussed, everyone who attends the webinar has a chance of winning a VMware VCP course (VMware Install, Config, Manage) worth $4.5k! This incredible giveaway is open to anyone over the age of 18 and all you need to do to enter is register and attend the webinar on November 20 th ! The winner will be announced the day after the webinar via email to registrants. VMware VCP Certification is one of the most widely recognized and valued certifications for technicians and system administrators today however the hefty price tag of $4.5k puts it out of reach of many. The chance to get this course for free does not come along every day and should definitely not be missed! Register for the webinar and VCP Giveaway
  22. well it could be that your error is a hard block, did you check the appcompat logs to see if it was listed as a hard block ? you can't ignore hard blocks..
  • Create New...