anyweb

did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

you'd need to provide some actual context of what you are trying here and where it failed, can you tell us more about your problem ?

it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb Types of updates managed by Windows Update for Business Windows Update for Business provides management policies for several types of updates to Windows 10 devices: Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring. Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates. Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies. Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy. Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. Drivers (on/off): When "on," this policy will not include drivers with Windows Update. Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. Manage when updates are offered You can defer or pause the installation of updates for a set period of time. Defer or pause an update A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy. Category Maximum deferral Feature updates 365 days Quality updates 30 days Non-deferrable none Pause an update If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates. Select branch readiness level for feature updates The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: Windows Insider Program for Business pre-release updates Windows Insider Fast Windows Insider Slow Windows Insider Release Preview Semi-annual Channel for released updates Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy. Recommendations For the best experience with Windows Update, follow these guidelines: Use devices for at least 6 hours per month, including at least 2 hours of continuous use. Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. Make sure that devices have at least 10 GB of free space. Give devices unobstructed access to the Windows Update service.

it's all documented here https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10 take a look at that and if you have any more questions then post back here

you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr

And to answer your last question: One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy). In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database. In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted. Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below: Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys. Source: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev What about compliance of your Bitlocker Management policy ? if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256, to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr, only after doing that would it register as compliant cheers niall

what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?

hi Neil Thanks for your guide it was very helpful! you are welcome. I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here

no timeline yet, thanks for the thanks, i still have 2 videos of my Bitlocker Management series to complete, then i'll get to it sorry for the delay but all this takes time

i'd recommend using the install.wim baked into the original media and not 'capture' fat images any more, it's quicker and will save you time and effort in the long run, why are you capturing images now anyway ?

It’s common knowledge, or at least should be, that certifications are the most effective way for IT professionals to climb the career ladder and it’s only getting more important in an increasingly competitive professional marketplace. Similarly, cloud-based technologies are experiencing unparalleled growth and the demand for IT professionals with qualifications in this sector are growing rapidly. Make 2020 your breakthrough year - check out this free upcoming webinar hosted by two Microsoft cloud experts to plan your Azure certification strategy in 2020. The webinar features a full analysis of the Microsoft Azure certification landscape in 2020, giving you the knowledge to properly prepare for a future working with cloud-based workloads. Seasoned veterans Microsoft MVP Andy Syrewicze and Microsoft cloud expert Michael Bender will be hosting the event which includes Azure certification tracks, training and examination costs, learning materials, resources and labs for self-study, how to gain access to FREE Azure resources, and more. Altaro’s webinars are always well attended and one reason for this is the encouragement for attendee participation. Every single question asked is answered and no stone is left unturned by the presenters. They also present the event live twice to allow as many people as possible to have the chance of attending the event and asking their questions in person! For IT professionals in 202, and especially those with a Microsoft ecosystem focus, this event is a must-attend! The webinar will be held on Wednesday February 19, at 3pm CET/6am PST/9am EST and at again 7pm CET/10am PST/1pm EST. I’ll be attending so I’ll see you there! Save your free webinar seat

what does details tell you ?

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment! thank you ! 1. it can be completely silent see > 2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance), MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.

here's how i installed Windows Server 2019 on it in case you are interested https://www.niallbrady.com/2019/02/09/installing-windows-server-2019-on-a-lenovo-p1-for-data-dedup-my-rough-notes/

have you seen these guides, they work 100% for me How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

no GPO's needed, can you attach (or email me) the 2 bitlocker related logs in c:\windows\ccm\logs and can you do a teamviewer session so i can take a look ?

i didn't get any log file, try again niall@windows-noob.com

that does look related, does it correlate to when the client was communicating with the mp ? if you want to zip logs and email them to me then fine, send them to niall AT windows DASH noob DOT com

ok can you please zip up the bitlocker logs in c:\windows\ccm\logs and send them to me or attach them here, i'll ask microsoft to comment

Introduction I’ve created a video showing you what you need to know to get Bitlocker Management (formally MBAM) integration working in Microsoft Endpoint Configuration Manager version 1910, please check it out. for more info and links to setting up PKI in your lab and converting Configuration Manager to HTTPS see this blog post. To see the rest of the videos click below: BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

Introduction In this video I show you what you need to know to get the Bitlocker Management (formally MBAM) web site portals working in Microsoft Endpoint Configuration Manager version 1910, please check it out. To read about the two portals shown above, see the following blog posts: How can you use the Self Service feature when MBAM is integrated within SCCM? How can you use the Help Desk feature when MBAM is integrated within SCCM? To see the rest of the videos click below: BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

Introduction In this video I show you how to customize the self service portal to suit your organization, and I show you how you can change what a person see’s in the help desk based on which Active Directory Security Group they are a member of (in relation to Bitlocker Management). Take a look ! To see the rest of the videos click below: BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

Introduction In this video I show you how to enforce encryption with no user interaction using Bitlocker Management in Configuration Manager 1910 (and a compliance baseline containing a configuration item with 2 registry keys). Below are the key path and key names I used in the video: SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement OsEnforcePolicyPeriod= 0 SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseOsEnforcePolicy = 1 Recommended reading Link to the GPO setting documentation: https://docs.microsoft.com/en-us/micr… Learn more about Bitlocker Management in Configuration Manager https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/ To see the rest of the videos click below: BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting

Introduction In this video I show you how key rotation works when a key has been revealed via the helpdesk using Bitlocker Management integrated as a feature in Microsoft Endpoint Configuration Manager version 1910. To see a list of all the videos in this series click below: BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting Take a look !

Introduction In this video I show you how you can enforce decryption of BitLocker encrypted drives in Microsoft Endpoint Configuration Manager version 1910. It involves the use of a custom Configuration Baseline with a Configuration Item to set a registry key. This is part 6 from a 10 part video series on youtube. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting Take a look !