anyweb

ok i missed the 'internet' part, i haven't tested this for IBCM clients yet, have you configured your certs to work with internet based clients ?

thanks for posting the solution to your problem !

well how are you setting it now, can you show your configured settings ?

take a look at this post it should help https://sccmxpert.com/2016/09/09/infoblox-settings-for-uefi-based-os-deployment/

they need to configure infloblox using the IPv4 DHCP options node, something like this

if it's already created then leave it there, it's safe to delete the contents inside as the they will get repopulated (if everything is working correctly)

hi Shaq, the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required. but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless. cheers niall

i think you need to look at the steps in the guide again as i just quickly looked at part 3, step 1, where i show you how to manually install roles and features, In this step you can see the BITS components that are required, did you miss it ? I've updated the original post to make it clear that both Background Intelligent Transfer Service (BITS) and IIS Server Extension need to be selected

Unable to find suitable Recovery Service MP usually means that it cannot communicate with the https enabled management point, are you using pki on your clients and sccm server(s) ?

Following the guide manually, I get the following errors on SCCM install: are you sure you followed my guide 100% or did you change anything ? if so what ? please do tell us more about how you did this

hi @CellFreak so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ? please clarify this

no reply yet, i've emailed again...

Thanks so much for what you've done for the SCCM community anyweb... these guides are great! thanks ! can you please attach your smsts.log so i can take a look, it will explain why it's continuing for you (perhaps, continue on error is selected ?)

i've emailed them, let's see if they reply

I can check with the product group if you can wait on their reply ?

no you don't but you do need the serviceui,exe from mdt, can you post your smsts.log so i can see what's going wrong ? and a view of your actual step in the task sequence

it's still here, just click on the download (it's only available to logged in registered members)

ok good info, i'll try my best to verify this when I have time...

everything inside the LAB should be on a private network, that way everything in the lab can talk to itself without interference from the outside, if you map a switch to a network card then that effectively gives your lab access to anything on that network and vice versa, so if your network card is connected say to your internal company network, and you set your switch to External, using your onboard NIC, then your dhcp server could start handing out ip's on your company network, and you don't want that. so keep your lab private, and only share internet into the lab using a smoothwall or similar. if you want to 'test' deploying things (like operating systems or otherwise) to computers outside of the lab, then follow my guide here

hi, if you are planning on doing this on a Surface that's fine as long as it has at least 16GB of ram (minimum) for all the virtual machines, and lots of storage. for both #1 and #2 configure the switch as PRIVATE that way it won't matter that you are running DHCP as it will be self contained in it's own private network

also can you modify your cmdline to correctly specify the reportserver via the -ReportWebServiceUrl switch, yours is currently pointing to Reports and it should point to Reportserver here's a sample .\MBAMWebSiteInstaller.ps1 -SqlServerName cm01.windowsnoob.lab.local -SqlInstanceName MSSQLSERVER -SqlDatabaseName CM_P01 -ReportWebServiceUrl http://cm01.windowsnoob.lab.local/Reportserver -HelpdeskUsersGroupName "windowsnoob\MBAM_HD" -HelpdeskAdminsGroupName "windowsnoob\MBAM_HD_Adv" -MbamReportUsersGroupName "windowsnoob\MBAM_HD_Report" -SiteInstall

ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ? did you verify that it met all these requirements ? The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT. Encrypt this certificate with a database master key. The following SQL users need Control permissions on the certificate: RecoveryAndHardwareCore RecoveryAndHardwareRead RecoveryAndHardwareWrite Deploy the same certificate at every site database in your hierarchy. Create the certificate with the latest version of SQL Server in your environment. For example: Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier. Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later. and lastly, did you verify the certificate creation using the Verify certificate SQL script ? please confirm, what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time,

thanks for the feedback, but no it's not missing, that is why we do cd \ in step 5, it moves us from c:\windows\system32 to c:\ before running the command, which in turn, creates the cert in that location, if you want to specify the location of it go ahead and it's possible, but it's not 'missing' if you follow the steps above exactly, it will work 100% this command retrieves the CA certificate from the issuingca and places (recreates it) using the name you specify in the folder you are currently in see docs: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -ca.cert CertUtil [Options] -ca.cert OutCACertFile [Index] Retrieve the CA's certificate OutCACertFile: output file Index: CA certificate renewal index (defaults to most recent) [-f] [-split] [-config Machine\CAName] cheers niall

ok what command line did you use to install, can you paste it here please and did you create all the certificates or just one, what command lines did you use to create the certificates, the more info I have the more i can help if you don't want to post it here then mail it to me, niall AT windows-noob DOT com cheers niall

Thank you for the lab (up to part 6 its all working fine) Great to hear it ! Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy ? ) in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template then rename it to your needs and adjust it to suit the FW requirements and as for your other question, see this answer from Technet. According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA. My assumption is that if you set up a standalone, the templates will be loaded nevertheless. LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.