glen8

Hi Everyone, We have not looked into bitlocker before but would like to start encrypting our laptops. There is SCCM 2002 already in place and configured for PKI. I've added the bitlocker feature to SCCM and packaged up the MBAM deployment scripts. During the OSD task sequence it's coming up with 0x0000001 during the powershell command phase. Running this manually from F8 it's showing 0x803d0013. The event logs on the SCCM server / MBAM has this: An error occurred while adding volume information to the Recovery database. Details: Cannot insert the value NULL into column 'RecoveryKey', table 'CM_LC1.dbo.RecoveryAndHardwareCore_Keys'; column does not allow nulls. INSERT fails. Once the laptop has finished imaging and is in windows, the hard disk is encrypted and the key can be seem in the computer object in AD. I've looked into the SQL DB and can see the laptops name so I know the comms is good, but why am I getting this error when running the PS? any ideas? https://imgur.com/bjON4CZ https://imgur.com/tDF0dK7 https://imgur.com/tnu6Q9F https://imgur.com/E9t5k18 Thanks!!

Did you ever figure this out? I'm really struggling with getting the keys passed back into the DB from the task sequence. AD is fine, just the DB is empty. Thanks

Thanks very much, In nearly every guide I've read on IBCM, there is only ever the mention of creating the certs yourself. I did wonder if you could mix a 3rd party certificates on the server, with internal ones for clients. Now I know you can, we'll get one ordered and installed.

Hi Everyone, We have an SCCM CB IBCM server within our DMZ serving up updates for our internet based laptop users. Today we ran an external vulnerability scan to health check the security of our network. The report flagged up a red mark against our IBCM server due to not using third party certificates. "Due to using an internally generated certificate the server is unable to verify it" or words to that effect. I'm sure I'm correct in saying that each an every client much have a unique certificate for SCCM to work, and using a third party cert would be incredibly expensive if we had to purchase 100s of them for each client. Can someone please confirm the correct usage of certificates in an IBCM scenario please. Should we be using third party certs, or carry on using the current internal ones. Thanks!

Think there is a bug with the latest CU update on servers which have the hyperv role installed (which mine does)

Hi All, I have just built a new server from an SCCM task sequence. Something isn't right with the windows updates. It looks like it's got some updates, but not the latest one. also, we are unable to rdp to the server due to a credssp error (I think it's because its missing an update). The SCCM deployments do actually contain this months update, but it's not on the server. Help!!!

Thanks Andy, Just managed to get it fixed. Stumbled across a similar post on technet. I had to tick the "allow anonymous access" on the DP. It's super fast now. It seems for whatever reason the MDT toolkit package takes ages with this unticked. Even the MS engineer who initially found the fix was stumped as to why.

Hi Everyone, This is such a pain!!!! We have an old physical server running Windows Server 2008 R2 with an old SCCM install on it. Working great and OSD takes about 45mins, but we need a new one to support Windows 10. We have built a new SCCM server on Windows Server 2016 running SCCM 1710 (latest updates, ADK, MDT etc etc). This server has way more CPU and RAM than the old one, and using it is super fast. The only issue is with imaging new machines, booting from PXE. We have ensured the HV server has the latest nic drivers, disabled virtual machine queues, set TFTP window and buffer sizes on the SCCM server but it's SOOOOO slow! The actual PXE part is fast and seems to get the boot image in under 1min. Then once in WinPE everything crawls. The first part of the task sequence is the MDT toolkit which can take over 30mins to download. The next bit when it downloads the .wim file (10gb) IS fast and gets that in around 2mins? but then the driver package again (like the toolkit) can take over 30mins. Very strange. any ideas? If we leave things alone, the machines do image....but take a few hours! Thanks!!

ok, ill open port 445 and watch on the firewall for traffic thanks for your help

How would the certificate server (lan) update the crl point (dmz)

Duplicated post

If I modified our root CA to include a new CRL DP pointing to the SCCM server already living in the DMZ, what ports do I need to open between the certificate server (LAN) to the DMZ? This is something the network team don't like doing though (opening ports I mean) also, how do I quickly and easily get all clients to renew their certificates?

Hi Everyone, We are managing clients on the LAN, DMZ (Domain joined and workgroup) and Internet. Currently everything is running over SSL and we have only enabled the correct ports for SCCM between our DMZ and LAN. There is one niggle though. Currently there is only one root CA server with no subordinates. Obviously this server is not accessible from outside of the LAN. Due to this, CRL checking has been disabled for clients and 443 IIS management sites on both the primary sccm server and an additional site server living in the DMZ. Microsoft say this on their website: "The requirement to check the CRL for each connection to a site system configured to use a PKI certificate is larger than the requirement for faster connections and efficient processing on the client, and is also larger than the risk of clients failing to connect to servers if they cannot locate the CRL." I'm not sure I completely agree. Due to last years huge virus outbreaks across the world, and the UKs NHS shutting down due to malware I would say the risk in not knowing if all your clients are healthy now outweighs any security risk in disabling CRL. at some point no doubt we will redesign our certificate servers but not for a while. Thoughts?

Hi all, I have built a site server in the DMZ running (MP, DP, SUP) which uses an RODC and is for deploying software updates to both internet clients and clients within the DMZ. There are two additional servers in the DMZ. One is domain joined and is working great, the second is on a workgroup. I have created and deployed workgroup certificates and everything seemed to go ok. I installed the sccm client on the workgroup server using these switches: ccmsetup ccmhostname:extservername.domain.com SMSMP:extservername.domain.com SMSSITECODE:XXX CCMALWAYSINF=1 SMSSIGNCERT:RootCertificate.cer /UsePKCerts /NoCRLCheck The workgroup server uses googles 8.8.8.8 DNS but I have added a local hosts record for the DMZ site server clientlocation.log is saying that the workgroup client is in an unknown location any ideas? Thanks!! :edit: Resolved, I stupidly installed the rootcert in the personal store lol all working now

Hi all, I have put a site server in our DMZ running DP, MP and SUP so we can update clients across the internet. It all looks like it's working, but I have noticed in the windowsupdate.log that when the client is on the internet it is pulling the updates down from a microsoft location. When it's back on the internal network, it switches over to the site server fine. The auto deployment rule does allow content to be pulled from the internet. I'm just wondering if a client on the internet uses the microsoft location as it's primary source rather than the DMZ server? also, a lot of people say you need to open up 8530 and 8531 from public to dmz, due to software update licences being unencrypted. Is this true? I am struggling to understand why we even need the wsus ports opening to the dmz. If internet machines prefer a microsoft location then just leave them to it? I know perhaps the reason could be if the microsoft wsus is down....but come on, how often are they down these days. Thanks!