anyweb

I haven't tested that exact scenario so can't guarantee this will work but you could try this approach and see what happens https://www.niallbrady.com/2016/05/17/introducing-the-windows-10-uefi-bitlocker-frontend-for-system-center-configuration-manager-current-branch/

check the ConfigMgrPrereq.log file in the root of C:\ it will explain what your issue is.

hi then you are not following this guide. The error message above clearly tells you what to do to solve the problem. Add the site server's machine account to the local administrators group on the SQL server computer.

I blogged about the subject some time ago, although my blog post was focused on workgroup computers, take a look it might give you some ideas

hi Harley, that line is basically showing you that you can add Additional Attributes via PowerShell, you just need to define them, try it in a lab first and you'll see they get set correctly, then adjust for production use and do the same thing good luck ! cheers niall as regards part 8, that's all about time and things, right now i focus on work and 'releases' from Microsoft, when they release something that i should blog about, i do (for example the MBAM stuff in TP1909)

how long it takes depends on what hardware you are running it on, using the latest and greatest with lots of ram and loads of CPU, maybe 30-45 minutes, using something old and lacking in resources, hours....

yes i get that, but the error reveals the section that's causing your problem, and it's in the Specialize section of the unattend.xml, so some component in there is causing your issue, keep pulling bits out (either manually before it reboots into windows setup) or on the server itself and update the new xml to your dp's before testing again

click on View Log, what does it tell you ? also did you read the message ?

ok so here's the pass where it's failing, if you remove this section entirely -<component language="neutral" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" versionScope="nonSxS" publicKeyToken="31bf3856ad364e35" processorArchitecture="amd64" name="Microsoft-Windows-Deployment"> -<RunSynchronous> -<RunSynchronousCommand> <Order>1</Order> <Description>disable user account page</Description> <Path>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> </RunSynchronous> </component> and then figure out why your product key is not being populated in your %OSDProductKey% variable then i think you'll make progress...

if you just followed the guide things would work, but you have changed the SQL config and are wondering why things are now failing, post your sql config (ini) here so we can see how you configured it cheers niall

Introduction Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities. In a previous blog post you looked at the Self Service feature for end users and then you looked at the Help Desk feature. But what happens on the client and in the database once the recovery key has been disclosed (via the Help Desk)? The Recovery Key and Recovery Key ID will rotate. Note: Disclosing the Recovery Key using Self Service does not cause the key to rotate. What is Key Rotation Key rotation allows admins to use a single-use key (via the Help Desk) for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises in the ConfigMgr Database. Source – https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 The helps to prevent a rogue Help Desk user from trying to decrypt contents of the computer without permission because once the key is used by the user, it’s rotated and therefore useless. Key Rotation If you look in SQL with the following query, you can view the recently used recovery key id’s and associated recovery key’s and whether they were disclosed or not via the Disclosed column. Change the CM_P01 to match your own ConfigMgr database name. /****** Script for SelectTopNRows command from SSMS ******/ SELECT TOP 1000 [Id] ,[LastUpdateTime] ,[RecoveryKeyId] ,[RecoveryKey] ,[Disclosed] FROM [CM_P01].[dbo].[RecoveryAndHardwareCore_Keys] Once the key has been disclosed, the MBAM agent on the client computer will force it to rotate, and you can see the new recovery id and recovery password on the host below. And that is mirrored in SQL. And you can reveal that change on the client itself via Event Viewer, in the MBAM Operational logs, look for event ID 30. Note: The recovery key will also rotate on devices already encrypted using Bitlocker if they are added to a collection that has Bitlocker Management policies deployed to it. For more information about that see this post. Related reading https://www.niallbrady.com/2019/10/06/how-can-you-use-the-help-desk-feature-when-mbam-is-integrated-within-sccm/ https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

you need to grab a copy of the unattend.xml that is created in c:\windows\panther\unattend just before the computer reboots attach it here and we'll see what's wrong with it...

Introduction Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities. In a previous blog post you looked at the Self Service feature for end users. This blog post will look at the Help Desk feature. But first, why would a user need to call a help desk (in relation to MBAM). Here’s why. If a user gets locked out of their Windows computer that is encrypted with BitLocker and provided that that computer is Managed by MBAM integrated with SCCM, then when BitLocker Recovery is triggered (by things like bios changes, software updates etc), in order to gain access to the computer, they’ll need to unlock it and for that they’ll need the recovery key, either via Self Service which I already covered or by calling the Help Desk. Some people cannot handle fixing things themselves and always opt for calling the help desk as they want personnel to help assist them in their time of need. Creating Users and User Groups for MBAM At the help desk, you have different levels of users and depending on which user group they are in, they can get more advanced functionality. However, to gain access to this functionality requires that the help desk user is a member of a group specified when you setup MBAM. If you’ve been following my latest SCCM setup guides here, in Part 2 you’ll see that there is a PowerShell script to create users and user groups in Active Directory, including Service Accounts, for functions such as MBAM. You can see the creation of these user groups below and you can download the script(s) used here. This script creates some MBAM related users/groups which are shown below. The Help Desk function uses the MBAM_HD user group when I set it up as specified here. That user group is the one you use when setting up MBAM within Configuration Manager using the following script. I’ve marked in bold the bit which decides what user group belongs to the Help Desk. .\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both You can of course create user groups with your own naming standard for your company as appropriate, this is only an example of how to set it up. What is important however, is that you add users to that user group, as those users will be able to access the Help Desk abilities in MBAM to provide support to your users. Help Desk User versus Help Desk Advanced User The script used above for creating users and user groups creates two Help Desk user groups, one for help desk users and another for help desk advanced users. All you have to do is add users to the appropriate user group, those user groups are called: MBAM_HD MBAM_HD_Adv The MBAM_HD user group contains users that are help desk users and they have the following abilities. Provides access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website. Individuals who have this role must fill in all fields, including the end-user’s domain and account name, when they use either area. The MBAM_HD_Adv user group contains users that are help desk advanced users and they have the following abilities. Provides access to all areas of the Administration and Monitoring Website. Users who have this role enter only the recovery key, and not the end user’s domain and user name, when helping end users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Users Group permissions. Note: For more info about these user groups see this post from Microsoft. Note: I’ve manually created the two users below, the script does not create them as it expects you to add users the user groups your self. So Let’s add a user called HelpDeskUser to the MBAM_HD user group. And let’s add a user called HelpDeskAdvanced to the MBAM_HD_Adv user group Help Desk User Logon to a computer as HelpDeskUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk You should see the following, note that the user logged on is displayed in the top right of the website: If the help desk user clicks on Drive Recovery to assist a user calling in for BitLocker Recovery, they will see the following. The need to enter all fields provided including a reason for the request before clicking submit. After submitting the request they can assist the user by providing them the drive recovery key. Note that they can copy it to (for example) email the BitLocker recovery key to the user or save the key locally (to email to the user or give it to them over the phone) or create a .keypackage to be used when recovering corrupted drives. They can also Manage the TPM (Trusted Platform Module) via the Manage TPM link, After filling in the needed info, clicking on Submit reveals the TPM Owner Password. Help Desk Advanced User Logon to a computer as HelpDeskAdvancedUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk You should see the following, note that the user logged on is displayed in the top right of the website: As before, this user can assist users with Drive Recovery operations, however now it’s easier (and quicker) to do as they only are required to enter the Key ID and Reason for the recovery. And after clicking submit, the same choices are available as for the Help Desk User. For Manage TPM, again, there are less ‘required’ items to fill in for the Advanced help desk user (only 3 items are required to fill in versus 5 for the help desk user). And after clicking submit, the TPM Password owner file is presented. So there you have it, a help desk functionality for MBAM is provided within SCCM as of System Center Configuration Manager Technical Preview version 1909. Do check it out, it’s awesome ! In the next blog post I’ll look at MBAM reporting. Related reading https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

Introduction Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities. In this blog post we’ll look at the Self Service feature for end users. Self Service What is the Self Service feature ? well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them. To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant. And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with manage-bde -protectors -get c: BitLocker Recovery But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem. So let’s see how that plays out. As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something (bios change etc) has prompted it to do so. The end user has two choices here, call their internal help desk or solve it themselves using self service. So how does MBAM Self Service work The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept. Customizing the Self Service Portal Notice how the page and notice text are customized for the organization. To make those changes simply locate the Notice.txt file in your MBAM self service installation folder, in this technical preview release it's located here. C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website and edit the notice.txt as Administrator (you may have to open the file via an administrative command prompt to save the changes). I added the following text: Welcome to the windowsnoob Microsoft BitLocker Management Solution ! By using this web site you agree that all your actions are logged, do not use this service for gaining access to computers encrypted file system without proper authorization. Save the file and then open Internet Information Services (IIS), and expand the Self Service app. Click on Application Settings. In Applications Settings, modify CompanyName from Contoso IT to your company name. The Self Service experience Once the user accepts the notice they can click on Continue. They are then presented with recovery options. Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options: BIOS/TPM changed OS Files modified Lost PIN-Passphrase And then click on Get Key. The Recovery Key is displayed in (2). That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device. Once entered, the user can boot their computer and all is fine. Job done ! For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here. Related reading https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 In the next blog post I’ll show you how the Help Desk functionality works. until next time, cheers niall

you didn't post the error, so to help you... can you do that and/or include logs

might be nice of you to include what you did to solve your own issue in case someone else has the same problem later on.

ok good point i'll modify the guide, my main goal was installing it via PowerShell so I missed this, thanks !

sometimes only the cat/sys and inf are needed, sometimes more than that, each driver/hardware device has different requirements, also the inf itself may point to additional files and that's why they are sometimes required. If in doubt start with the cat/sys/inf and try importing that, if it works all is good, if not look at the contents of the inf file to see what files it expects to be added.

im not following you, can you clarify please

did you try set-executionpolicy unrestricted ?

i'd start with looking at all the things mentioned in the error, one by one,

check your RBAC settings, i.e. are you in a group that is a member of some group that has access to run the console

here's your hint, if you look at part 1, the ConfigureADDS.ps1 script configures ADDS (active directory domain services) and then creates a new script, and then restarts the server and runs the new script after the restart. you could use that method to achieve the same thing

if you restart the server, and run the pre-req again what does it say ? if it's still the same attach the log here.

is anything else waiting for a restart on this computer like windows updates or something ? or somethign stuck in the registry ?