anyweb

what version of ConfigMgr are you upgrading from (and to...?)

the main benefits would be that it can be totally cloud based (if that's what you configure via intune) versus on premise infrastructure, and it simplifies things by lowering complexity, here's a dated but fairly decent blog post about it and here's a more recent blog post detailing abilities

why not use powershell application deployment kit, it will take care of this for you no problem

@BlakeGetzcan i take a look at it via teamviewer ? alternatively try this, open regedit and change the following reg key value. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SRSRP] "SRSInitializeState"=dword:00000000 The value should be changed to 0, then wait for the value to change back to 1. It will change to 2 for a while. You can amonitor the srsrp.log while you wait

nice, you should share the updated code here

Introduction In an earlier post I showed you how you can enable Full Disk Encryption via a task sequence in Microsoft Endpoint Manager Configuration Manager version 1910. The screenshots in that blog post were taken from virtual machines and won’t run correctly on virtual machines, as for some reason, Full Disk Encryption (FDE) in the Pre-Provision Bitlocker step requires real hardware. In this blog post I want to show you how those steps work on real hardware, in this case a HP Prodesk 600 G3 SFF fitted with an old 256GB hdd. I’ve placed pause steps before and after each of the BitLocker related steps and will issue various commands to ‘see’ the effect of those steps on real hardware. In this post we’ll look in detail at how Full Disk Encryption functions within the two BitLocker specific steps, namely: Pre-Provision BitLocker Enable BitLocker Note that the TPM has already been enabled in the UEFI firmware on this hardware. Pre-Provision Bitlocker The Pre-Provision Bitlocker step allows you to save time by encrypting only used space (normally) so how does this step work when Use full disk encryption is selected. The first thing you need to keep in mind is that enabling FDE will significantly increase OSD build times. So, now that we’ve paused the task sequence at this point, it’s good to note that the HDD has been formatted in the previous Partition Disk 0 – UEFI step and due to that, it is not encrypted in any way as the following command reveals. manage-bde -status Conversion Status: Fully Decrypted After running the Pre-Provision BitLocker step we can see the following in smsts.log the interesting bits in relation to the TPM are shown below: Tpm is enabled Tpm is activated Tpm is owned Tpm ownership is allowed Tpm has compatible SRK Tpm has EK pair Initial TPM state: 63 For comparison’s sake, here’s a view of smsts.log on the same hardware after the TPM has been cleared in Windows using TPM.MSC as administrator. Tpm is enabled Tpm is activated Tpm is not owned Tpm ownership is allowed Tpm has compatible SRK Tpm has EK pair Initial TPM state: 55 As you can see in that example, the TPM is not owned so ownership is instigated by the Pre-Provision BitLocker step: Taking ownership of TPM Note: You can perform hardware actions such as clearing the TPM, via hardware vendor specific custom steps in your task sequence, or do them manually in the UEFI firmware, or via tpm.msc in Windows (as Administrator). and further down in smsts.log it lists that it is Encrypting full disk. and, if we look at manage-bde -status it reveals the following, the drive is being encrypted ! You can see the rest of this blog post here https://www.niallbrady.com/2020/02/25/full-disk-encryption-a-closer-look-on-real-hardware/

yes well spotted, probably a typo in $logstriing... as regards sysnative, try changing it to C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

are you saying they are reporting as non compliant but are in fact, compliant ? if so have you installed the hotfix available for 1910 in the console ?

i'll try and do up a blog post on this in the coming weeks, time willing of course

you could follow this guide and it should populate your keys in configmgr's database https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

just to be clear, are you saying you want to have your OSD task sequences take care of Bitlocker Encryption and storage of the key in ConfigMgr 1910 with the bitlocker management feature enabled ?

hi Florian, I'd suggest you look inside the powershell script itself, and use switches based on that, here's a hint, post your results here. And as regards the Bitlocker Management websites being in SSL or not, Microsoft recommends but doesn't require the use of HTTPS for the Bitlocker websites (HTTPS is still required in CM1910 for the MP recovery service endpoint though) https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites

it's covered in this video, simply point it to the servername where you intend those services to run and the command lines are here.

you can move them by running the powershell script to install the helpdesk and self service desk on another site server, it must have IIS installed along with the prerequisites below In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager. To integrate the BitLocker recovery service in Configuration Manager requires a HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS. Note In version 1910, it doesn't support Enhanced HTTP. To use the BitLocker management reports, install the reporting services point site system role. For more information, see Configure reporting. Note In version 1910, for the Recovery Audit Report to work from the administration and monitoring website, only use a reporting services point at the primary site. To use the self-service portal or the administration and monitoring website, you need a Windows server running IIS. You can reuse a Configuration Manager site system, or use a standalone web server that has connectivity to the site database server. Use a supported OS version for site system servers. Note In version 1910, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site. On the web server that will host the self-service portal, install Microsoft ASP.NET MVC 4.0. The user account that runs the portal installer script needs SQL sysadmin rights on the site database server. During the setup process, the script sets login, user, and SQL role rights for the web server machine account. You can remove this user account from the sysadmin role after you complete setup of the self-service portal and the administration and monitoring website.

did you try to restart the wds service and redist your boot images after doing the change ?

hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

if you want to remove choice then simply deploy the task sequence with a purpose of Required, but, be warned, be very careful about what collection you deploy any required task sequences too because they are Mandatory and can cause all sorts of issues if you get your queries wrong, or if you target a collection with many computers inside...

did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

you'd need to provide some actual context of what you are trying here and where it failed, can you tell us more about your problem ?

it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb Types of updates managed by Windows Update for Business Windows Update for Business provides management policies for several types of updates to Windows 10 devices: Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring. Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates. Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies. Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy. Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. Drivers (on/off): When "on," this policy will not include drivers with Windows Update. Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. Manage when updates are offered You can defer or pause the installation of updates for a set period of time. Defer or pause an update A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy. Category Maximum deferral Feature updates 365 days Quality updates 30 days Non-deferrable none Pause an update If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates. Select branch readiness level for feature updates The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: Windows Insider Program for Business pre-release updates Windows Insider Fast Windows Insider Slow Windows Insider Release Preview Semi-annual Channel for released updates Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy. Recommendations For the best experience with Windows Update, follow these guidelines: Use devices for at least 6 hours per month, including at least 2 hours of continuous use. Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. Make sure that devices have at least 10 GB of free space. Give devices unobstructed access to the Windows Update service.

it's all documented here https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10 take a look at that and if you have any more questions then post back here

you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr

And to answer your last question: One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy). In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database. In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted. Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below: Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys. Source: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev What about compliance of your Bitlocker Management policy ? if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256, to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr, only after doing that would it register as compliant cheers niall

what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?

hi Neil Thanks for your guide it was very helpful! you are welcome. I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here