Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by glen8

  1. Hi Everyone, We have not looked into bitlocker before but would like to start encrypting our laptops. There is SCCM 2002 already in place and configured for PKI. I've added the bitlocker feature to SCCM and packaged up the MBAM deployment scripts. During the OSD task sequence it's coming up with 0x0000001 during the powershell command phase. Running this manually from F8 it's showing 0x803d0013. The event logs on the SCCM server / MBAM has this: An error occurred while adding volume information to the Recovery database. Details: Cannot insert the value NULL into c
  2. Did you ever figure this out? I'm really struggling with getting the keys passed back into the DB from the task sequence. AD is fine, just the DB is empty. Thanks
  3. Thanks very much, In nearly every guide I've read on IBCM, there is only ever the mention of creating the certs yourself. I did wonder if you could mix a 3rd party certificates on the server, with internal ones for clients. Now I know you can, we'll get one ordered and installed.
  4. Hi Everyone, We have an SCCM CB IBCM server within our DMZ serving up updates for our internet based laptop users. Today we ran an external vulnerability scan to health check the security of our network. The report flagged up a red mark against our IBCM server due to not using third party certificates. "Due to using an internally generated certificate the server is unable to verify it" or words to that effect. I'm sure I'm correct in saying that each an every client much have a unique certificate for SCCM to work, and using a third party cert would be incredibly expensive if we h
  5. Think there is a bug with the latest CU update on servers which have the hyperv role installed (which mine does)
  6. Hi All, I have just built a new server from an SCCM task sequence. Something isn't right with the windows updates. It looks like it's got some updates, but not the latest one. also, we are unable to rdp to the server due to a credssp error (I think it's because its missing an update). The SCCM deployments do actually contain this months update, but it's not on the server. Help!!!
  7. Thanks Andy, Just managed to get it fixed. Stumbled across a similar post on technet. I had to tick the "allow anonymous access" on the DP. It's super fast now. It seems for whatever reason the MDT toolkit package takes ages with this unticked. Even the MS engineer who initially found the fix was stumped as to why.
  8. Hi Everyone, This is such a pain!!!! We have an old physical server running Windows Server 2008 R2 with an old SCCM install on it. Working great and OSD takes about 45mins, but we need a new one to support Windows 10. We have built a new SCCM server on Windows Server 2016 running SCCM 1710 (latest updates, ADK, MDT etc etc). This server has way more CPU and RAM than the old one, and using it is super fast. The only issue is with imaging new machines, booting from PXE. We have ensured the HV server has the latest nic drivers, disabled virtual machine queues, set TFTP window a
  9. ok, ill open port 445 and watch on the firewall for traffic thanks for your help
  10. How would the certificate server (lan) update the crl point (dmz)
  11. If I modified our root CA to include a new CRL DP pointing to the SCCM server already living in the DMZ, what ports do I need to open between the certificate server (LAN) to the DMZ? This is something the network team don't like doing though (opening ports I mean) also, how do I quickly and easily get all clients to renew their certificates?
  12. Hi Everyone, We are managing clients on the LAN, DMZ (Domain joined and workgroup) and Internet. Currently everything is running over SSL and we have only enabled the correct ports for SCCM between our DMZ and LAN. There is one niggle though. Currently there is only one root CA server with no subordinates. Obviously this server is not accessible from outside of the LAN. Due to this, CRL checking has been disabled for clients and 443 IIS management sites on both the primary sccm server and an additional site server living in the DMZ. Microsoft say this on their website:
  13. Hi all, I have built a site server in the DMZ running (MP, DP, SUP) which uses an RODC and is for deploying software updates to both internet clients and clients within the DMZ. There are two additional servers in the DMZ. One is domain joined and is working great, the second is on a workgroup. I have created and deployed workgroup certificates and everything seemed to go ok. I installed the sccm client on the workgroup server using these switches: ccmsetup ccmhostname:extservername.domain.com SMSMP:extservername.domain.com SMSSITECODE:XXX CCMALWAYSINF=1 SMSSIGNCERT:RootCertif
  14. Hi all, I have put a site server in our DMZ running DP, MP and SUP so we can update clients across the internet. It all looks like it's working, but I have noticed in the windowsupdate.log that when the client is on the internet it is pulling the updates down from a microsoft location. When it's back on the internal network, it switches over to the site server fine. The auto deployment rule does allow content to be pulled from the internet. I'm just wondering if a client on the internet uses the microsoft location as it's primary source rather than the DMZ server? also, a lot
  15. Typical, the minute I create this post I check the mplist to find only one server listed. I check the management point on the dmz server and it's set to "internet clients only". I did change this to "both internet and intranet" but who knows why it never saved. also forgot to tick the second MP server under (sites, management points)....oops Trying again!!
  16. Just a heads up for anyone doing the same thing. Port 53 is not needed so long as you are happy manually registering the server name in DNS yourself. If so, remember to untick the "register this in dns" from the network card.
  17. I've changed my original question to a different one, rather than creating a whole new thread
  18. for those of you who have installed a domain joined member server for ibcm in the dmz, and used an rodc for domain services, did you open up port 53 (dns) between the ibcm server and your internally based writable domain controllers? Thanks
  19. Hi all, I have an IBCM server installed in our DMZ. Everything is working great, and I am allowing it to also update member servers in the DMZ as well as internet clients. Certs are all good, logs are fine. My issue however is that the member servers in the DMZ are assigned to the wrong MP. They are going to the primary site server, not the server in the DMZ. Things I have checked: Boundaries and boundary groups are set and contain just the DMZ site server Hierarchy setting is ticked for "Clients prefer to use management points specified in boundary groups" Cli
  20. Hi Everyone, I have installed a DP in my DMZ to update internet client machines. Would it be possible for that DP to also perform updates on servers living in the DMZ? There's not many. We are currently doing the windows updates manually. Thanks!
  21. Typical!!!! I've found them by looking in the control panel. That will do for now. Thanks
  22. Hi all, This is a strange one. Just imaged a PC via SCCM using a Windows 10 1709 Image. I could see windows updates were being deployed ok, and everything installed without issue. I checked all the logs and could see the updates installed. Windows update also listed all the updates installed.....UNTIL I rebooted the PC. Now the history has vanished! There were around 30 updates (mainly office 2016) listed but now nothing. any ideas? Thanks UpdatesStore.log <![LOG[Queried Update (ff4a4508-e334-4006-bdde-c87f2a4f32eb): Status=Installed, Title=2018-01 Cumulat
  23. ok, I just realized that if my task sequence is changed from mandatory to available, unknown machines need to press F12 to PXE I guess that's a good enough work around at the minute
  24. Hi all, I've installed SCCM 2012 R2 and enabled PXE for the Unknown computer collection. This is what I want, and all unknown machines image fine. Brilliant! There is a problem however We have hundreds of non-domained joined thin client terminals (asus revo) which have BIOS set to boot to PXE first. When the users power on in the morning, they are booting into the task sequence image!! This is very bad :-( I've done a network discovery scan which has found all the thin clients, so I can see all their names and mac addresses in the 'all systems' collection. I guess that eve
  • Create New...