anyweb

Introduction Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices (7,8 10) to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation and more. This is something that has been around for quite some years now and is working great, however, MBAM is currently it’s own separate solution. The following blog post from Microsoft details their future direction with regard to BitLocker Management and is a must read. https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 The purpose of this blog post is to gather together previous guides I’ve written since it’s first release in Technical Preview 1905, which help you understand how to get started with MBAM integrated within Configuration Manager, what to expect on the client computers, using help desk functionality and finally running reports to get an overview of your compliance. Getting started with On-premises BitLocker management using SCCM How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” How does Key Rotation work in MBAM integrated with SCCM ? How can you use the Self Service feature when MBAM is integrated within SCCM? How can you use the Help Desk feature when MBAM is integrated within SCCM? A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager

Introduction Microsoft have been hard at work adding MBAM (Microsoft BitLocker Management and Monitoring) features natively to Microsoft Endpoint Manager Configuration Manager, and those features have been improved since they were first released, with bug fixes and new features added over time. Initially, when TP1905 shipped with MBAM integrated, there was a lot of excitement about this new integration within ConfigMgr. It finally brought together native integration of MBAM within ConfigMgr for on premises devices. However, reporting capabilities were not included. A brief history of my MBAM reporting experiences in ConfigMgr In a later Technical Preview (TP1909), reporting ability was added to the Reporting node in ConfigMgr and I blogged about that here. That release contained a bunch of reports for MBAM located in the Reporting node shown below. Sadly however when I tried to run any of them I got an error, I alerted the Microsoft Product Group about this and a known issues was appended to the release notes, however the suggested workaround didn’t solve my reporting issues. I continued to work with Microsoft Product Group and particularly Frederic Mokren (thanks Frederic) until we figured out my issues. First of all I could see the issue with reading reports in the above screenshots, but further digging revealed permission denied errors on the ConfigMgr database. This was solved by changing the permissions of the ConfigMgr reporting services reporting point user windowsnoob\CM_SR to have db_datareader on the CM database. And below is the user account in question. The above changes should have been implemented in production releases of the same so hopefully you won’t encounter the problems that I did. Server side reports So let’s take a look at the reports for BitLocker Management in ConfigMgr. The reports are found in the Monitoring workspace under BitLocker Management and currently there are 5 (including the audit report in the language specific sub folder). Note: The reports in this blog post won’t have much data as this is a lab and you are limited to the number of active clients in Technical Preview releases. BitLocker Computer Compliance BitLocker Enterprise Compliance Dashboard BitLocker Enterprise Compliance Details BitLocker Enterprise Compliance Summary Recovery Audit Report BitLocker Computer Compliance When running the BitLocker Computer Compliance report you are prompted for a computer name. The BitLocker Computer Compliance Report provides detailed encryption information about each drive on a computer (operating system and fixed data drives). It also provides an indication of the policy that is applied to each drive type on the computer. After running you should get some data back, such as the below. Note: In the above report are some additional columns that are not shown in the screenshot, but in the actual report you can scroll right to see that data. BitLocker Enterprise Compliance Dashboard In the BitLocker Enterprise Compliance Dashboard, you’ll be prompted to enter a collection ID of the collection (of computers targeted with a Bitlocker Compliance policy) that you want to check compliance of. The BitLocker Enterprise Compliance Dashboard provides several graphs, which show BitLocker compliance status across the enterprise. If all of your computers are non-compliant (such as the one computer in this report below) it will appear in red. and after fixing my compliance issues… BitLocker Enterprise Compliance Details The BitLocker Enterprise Compliance Details report provides details about your targeted computers and allows you to sort by certain data values for Compliance Status Error Status Selecting the Compliance status option gives you further search criteria. as does Error status Once you’ve defined the search criteria (and collection id) the report is displayed by clicking on View Report. BitLocker Enterprise Compliance Summary The BitLocker Enterprise Compliance Summary is just that, it’s a summary of your BitLocker Enterprise Compliance. You’ll need to enter a collection id so that if can gather data for that BitLocker policy targeted collection. I only have one computer reporting data currently in this lab and it’s decrypting as I speak, so naturally it’s non-compliant. But here’s a view of my summary. and the same report looks like this when my devices are compliant Recovery Audit Report The Recovery Audit Report is a special report in the language specific (eg: en-us) sub folder of BitLocker Management. This report allows you to see which of your help desk users revealed keys to specific users, so it’s a great tracking tool. It’s also special in that (at least in my lab) the ConfigMgr reporting services reporting point user needed db_owner in order to generate the report without error. The data in this report is derived from a help desk user (or advanced user) doing a new helpdesk request as described in a previous blog post here. Client side report You can generate an XML report using the Configuration Manager client agent, on the Configurations tab shown below, select the Bitlocker Compliance policy targeted at the computer. It will list the policy name, what revision it is (which is useful when you change settings in ConfigMgr itself), when it was last evaluated and whether it’s compliant or not. To view the report, click on View Report. The report below is from a client in non-compliant state. You can then drill down further into this report to see what’s the issue. Once you’ve resolved the compliance issues, it should register as complient such as in this xml So that’s if for this blog post, I’ll update it over the coming days with some more insights as I get time. Related reading https://www.niallbrady.com/2019/10/07/how-does-key-rotation-work-in-mbam-integrated-with-sccm/ https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/ https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

also, check your partition layout on Windows 7, you need to know exactly what you are dealing with in order to get it to work. Diskpart will be your friend in troubleshooting as will pause statements before, and after the mbr2gpt step.

No don't do that, you can use the following Cumulative Update instead (it's current). https://download.microsoft.com/download/C/4/F/C4F908C9-98ED-4E5F-88D5-7D6A5004AEBD/SQLServer2017-KB4515579-x64.exe to find the cumulative update download link i do as follows, I google a phrase like "download sql server 2017 cumulative update" and click on the Microsoft link, it'll show a page like this.. then I click on download to download it, while it's downloading the page has changed, right click on it and choose View Source, in the page source, search for download.microsoft.com and you'll get your download link.

if you have no good backups then you are out of luck, i assume by encrypted you mean it has Ransomware encryption of some sort that has run rampant over your two (or more) servers, encrypting random files. If so you need to start fresh and make sure to focus on security this time, do you have any idea why it got infected before ? and why are there no good backups, that's a recipe for disaster by starting fresh i mean a complete server reinstall for each affected server, you must be 100% sure that there are no infected files lingering or you will be back to square one... whatever you do, don't pay the ransom, doing that would mean that the authors will profit at your expense and they will build even worse ransomware which you may get infected with again in the future.

ok can you grab the app*.xml files and setup*.log stored in the $windows.~bt\Sources\Panther location after the windows upgrade failure, zip them up and attach them here i'll take a look.

Everyone who attends the webinar has a chance of winning a VMware VCP course (VMware Install, Config, Manage) worth $4.5k! Climbing the career ladder in the IT industry is usually dependent on one crucial condition: having the right certifications. If you’re not certified to a specified level in a certain technology used by an employer, that’s usually a non-negotiable roadblock to getting a job or even further career progression within a company. Understanding the route you should take, and creating a short, medium, and long term plan for your certification goals is something everyone working in the IT industry must do. In order to do this properly you need the right information and luckily, an upcoming webinar from the guys at Altaro has you covered! Fast Track your IT Career with VMware Certifications is a free webinar presented by vExperts Andy Syrewicze and Luke Orellana on November 20 th outlining everything you need know about the VMware certification world including costs, value, certification tracks, preparation, resources, and more. In addition to the great content being discussed, everyone who attends the webinar has a chance of winning a VMware VCP course (VMware Install, Config, Manage) worth $4.5k! This incredible giveaway is open to anyone over the age of 18 and all you need to do to enter is register and attend the webinar on November 20 th ! The winner will be announced the day after the webinar via email to registrants. VMware VCP Certification is one of the most widely recognized and valued certifications for technicians and system administrators today however the hefty price tag of $4.5k puts it out of reach of many. The chance to get this course for free does not come along every day and should definitely not be missed! Register for the webinar and VCP Giveaway

well it could be that your error is a hard block, did you check the appcompat logs to see if it was listed as a hard block ? you can't ignore hard blocks..

you can adjust the Upgrade Operating System step there's a switch you can add to ignore these types of warnings, have you tried setting this step

you can use StandAlone media which doesn't require a network connection and therefore doesn't need to speak to the management point https://docs.microsoft.com/en-us/configmgr/osd/deploy-use/create-stand-alone-media

first things first do you have any details of what files were over written/infected ? and do you have valid virus free backups of the database and all other software

no problem ! thanks for the thanks, oh and by the way this guide has an updated version here

take a look at this post for a list of log files and what they log, use CMTrace.exe to read your logs it's in the tools folder of your SCCM installation, https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files CLIENT LOGS: all SCCM log files on the client are in C:\Windows\CCM\Logs SERVER LOGS: server side they'll be in \\server\sccm installation path\logs

well what types of devices are they ?

it should work on at least Server 2016, I haven't tested it on Server 2012R2 and won't

With Halloween only a few days away, this year Altaro gathered SysAdmins’ funniest and most horrifying stories into one eBook, especially for you. We all know that a SysAdmin’s job is no easy task and apart from constantly having systems to update, bugs to fix and users to please, SysAdmins encounter all sorts of situations throughout their careers. From tech situations to funny anecdotes, terrible mishaps or incidents with colleagues, this eBook includes real stories of what SysAdmins go through on a daily basis. The eBook is very easy to download as no registration is required. Click on Download and it’s yours. It includes more than 25 short stories but this one is our personal favourite

you'll need to put together an extensive plan of actions to make sure you can cover everything, your best option is to go with choice number 1 and by the way there is no SCCM CB 1903, it's SCCM Current Branch version 1906 (currently). To upgrade, start by reading these points. https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager as you can see there is a lot to review and plan, and that's the first thing you need to do, so get too it and good luck. If you need some pointers I can include a rough draft of how we did it on one of our production upgrades cheers niall

I've not tested it with MDT only, but you could and then provide feedback to us both MDT and SCCM use task sequences so in theory, it should work.

did it download the file? if it did then look at this log file... $Parms = " /IAcceptLicenseTerms True /Quiet /Norestart /Log SQLServerReportingServiceslog.txt"

perhaps as the task sequence itself can have steps which add/change those sections in the unattend.xml file, so again, look at what's in the specialize section and figure out which of those settings is causing it to fail, once you've identified it, then figure out what section of the task sequence is settings those values.

check for obsolete computer records for the computer that doesn't pxe boot any more, see my guide here...

@MagnumVP what's weird is the upgrade scenario, i have not tested migrating anything from 32 bit to 64bit

in PowerShell, any line that begins with # is ignored. I.e. nothing will be executed.... the 4 lines you've quoted above won't do anything...

Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software updates applicability scan on clients. The WSUS server must be installed before you create the software update point role. The following versions of WSUS are supported for a software update point: source > https://docs.microsoft.com/en-us/sccm/sum/plan-design/prerequisites-for-software-updates

I can't guide you as you are not following my guides...