Jump to content


Root Admin
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by anyweb

  1. are you saying they are reporting as non compliant but are in fact, compliant ? if so have you installed the hotfix available for 1910 in the console ?
  2. i'll try and do up a blog post on this in the coming weeks, time willing of course
  3. you could follow this guide and it should populate your keys in configmgr's database https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25
  4. just to be clear, are you saying you want to have your OSD task sequences take care of Bitlocker Encryption and storage of the key in ConfigMgr 1910 with the bitlocker management feature enabled ?
  5. hi Florian, I'd suggest you look inside the powershell script itself, and use switches based on that, here's a hint, post your results here. And as regards the Bitlocker Management websites being in SSL or not, Microsoft recommends but doesn't require the use of HTTPS for the Bitlocker websites (HTTPS is still required in CM1910 for the MP recovery service endpoint though) https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites
  6. it's covered in this video, simply point it to the servername where you intend those services to run and the command lines are here.
  7. you can move them by running the powershell script to install the helpdesk and self service desk on another site server, it must have IIS installed along with the prerequisites below In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager. To integrate the BitLocker recovery service in Configuration Manager requires a HTTPS-enabled management point. On the properties of the management point, the Client connections setting must be HTTPS. Note In version 1910, it doesn't support Enhanced HTTP. To use the BitLocker management reports, install the reporting services point site system role. For more information, see Configure reporting. Note In version 1910, for the Recovery Audit Report to work from the administration and monitoring website, only use a reporting services point at the primary site. To use the self-service portal or the administration and monitoring website, you need a Windows server running IIS. You can reuse a Configuration Manager site system, or use a standalone web server that has connectivity to the site database server. Use a supported OS version for site system servers. Note In version 1910, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site. On the web server that will host the self-service portal, install Microsoft ASP.NET MVC 4.0. The user account that runs the portal installer script needs SQL sysadmin rights on the site database server. During the setup process, the script sets login, user, and SQL role rights for the web server machine account. You can remove this user account from the sysadmin role after you complete setup of the self-service portal and the administration and monitoring website.
  8. did you try to restart the wds service and redist your boot images after doing the change ?
  9. hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.
  10. if you want to remove choice then simply deploy the task sequence with a purpose of Required, but, be warned, be very careful about what collection you deploy any required task sequences too because they are Mandatory and can cause all sorts of issues if you get your queries wrong, or if you target a collection with many computers inside...
  11. did you already create a policy previously ? i'd suggest you look at my videos here, start with #1 and work your way through them, i cover this exact question in there. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting
  12. you'd need to provide some actual context of what you are trying here and where it failed, can you tell us more about your problem ?
  13. it was linked to in the article, see https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb Types of updates managed by Windows Update for Business Windows Update for Business provides management policies for several types of updates to Windows 10 devices: Feature updates: previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually in the fall and in the spring. Quality updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and can configure devices to receive or not receive such updates along with their Windows updates. Driver updates: these are non-Microsoft drivers that are applicable to your devices. Driver updates can be turned off by using Windows Update for Business policies. Microsoft product updates: these are updates for other Microsoft products, such as Office. These updates can be enabled or disabled by using Windows Update for Business policy. Offering You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. Drivers (on/off): When "on," this policy will not include drivers with Windows Update. Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. Manage when updates are offered You can defer or pause the installation of updates for a set period of time. Defer or pause an update A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days). To defer feature updates use the Select when Preview Builds and Feature Updates are Received policy. Category Maximum deferral Feature updates 365 days Quality updates 30 days Non-deferrable none Pause an update If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. To pause feature updates use the Select when Preview Builds and Feature Updates are Received policy and to pause quality updates use the Select when Quality Updates are Received policy. For more information, see Pause feature updates and Pause quality updates. Select branch readiness level for feature updates The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: Windows Insider Program for Business pre-release updates Windows Insider Fast Windows Insider Slow Windows Insider Release Preview Semi-annual Channel for released updates Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit Windows Release Information. You can set the branch readiness level by using the Select when Preview Builds and Feature Updates are Received policy. In order to use this to manage pre-release builds, first enable preview builds by using the Manage preview Builds policy. Recommendations For the best experience with Windows Update, follow these guidelines: Use devices for at least 6 hours per month, including at least 2 hours of continuous use. Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. Make sure that devices have at least 10 GB of free space. Give devices unobstructed access to the Windows Update service.
  14. it's all documented here https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/integrate-windows-update-for-business-windows-10 take a look at that and if you have any more questions then post back here
  15. you could also use Windows Update for business policies to enforce this, much easier and configurable within ConfigMgr
  16. And to answer your last question: One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy). In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database. In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted. Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below What about compliance of your Bitlocker Management policy ? if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256, to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr, only after doing that would it register as compliant cheers niall
  17. what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?
  18. hi Neil Thanks for your guide it was very helpful! you are welcome. I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here
  19. no timeline yet, thanks for the thanks, i still have 2 videos of my Bitlocker Management series to complete, then i'll get to it sorry for the delay but all this takes time
  20. i'd recommend using the install.wim baked into the original media and not 'capture' fat images any more, it's quicker and will save you time and effort in the long run, why are you capturing images now anyway ?
  21. It’s common knowledge, or at least should be, that certifications are the most effective way for IT professionals to climb the career ladder and it’s only getting more important in an increasingly competitive professional marketplace. Similarly, cloud-based technologies are experiencing unparalleled growth and the demand for IT professionals with qualifications in this sector are growing rapidly. Make 2020 your breakthrough year - check out this free upcoming webinar hosted by two Microsoft cloud experts to plan your Azure certification strategy in 2020. The webinar features a full analysis of the Microsoft Azure certification landscape in 2020, giving you the knowledge to properly prepare for a future working with cloud-based workloads. Seasoned veterans Microsoft MVP Andy Syrewicze and Microsoft cloud expert Michael Bender will be hosting the event which includes Azure certification tracks, training and examination costs, learning materials, resources and labs for self-study, how to gain access to FREE Azure resources, and more. Altaro’s webinars are always well attended and one reason for this is the encouragement for attendee participation. Every single question asked is answered and no stone is left unturned by the presenters. They also present the event live twice to allow as many people as possible to have the chance of attending the event and asking their questions in person! For IT professionals in 202, and especially those with a Microsoft ecosystem focus, this event is a must-attend! The webinar will be held on Wednesday February 19, at 3pm CET/6am PST/9am EST and at again 7pm CET/10am PST/1pm EST. I’ll be attending so I’ll see you there! Save your free webinar seat
  22. Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment! thank you ! 1. it can be completely silent see > 2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance), MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.
  23. here's how i installed Windows Server 2019 on it in case you are interested https://www.niallbrady.com/2019/02/09/installing-windows-server-2019-on-a-lenovo-p1-for-data-dedup-my-rough-notes/
  24. have you seen these guides, they work 100% for me How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2
  • Create New...