[Migrate MBAM Bitlocker to Intune/Endpoint Manager During Upgrade]

Apologies, for the delay, let me just explain what im trying to do and what I've done in preparation.

 

I've connected my SCCM instance to Intune and setup pilot Intune and offloaded some of the workloads for what i need to Intune.  I've targeted a collection for this and based it on a specific OS Version.  I have created policies in Intune to manage the Disk Encryption.  I've tested building PCs to 20H2 with a task sequence that wipes and configures them from scratch and they drop into the collection pick up the policy and the PCs happily encrypt via Intune great.

What im doing now is creating another task sequence that will in place upgrade my Windows 1809 clients to 20H2, the issue I have is im not sure what steps are needed during the migration regarding encryption on these clients, they currently are encrypted with on premise MBAM rules, the current 1809 clients aren't managed by Intune whatsoever.  I cant work out in my head and from reading guides quite how i can move the encryption to Intune, do they need unencrypting during the upgrade task sequence and the TPM cleared or is there a way to move them without these steps needed?  They are currently AES256 encrypted in MBAM and Intune policy is set to AES256 XTS.

 

Thanks

[Migrate MBAM Bitlocker to Intune/Endpoint Manager During Upgrade]

I am looking to get our clients to migrate from MBAM to Bitlocker on MEM Intune during an OS Upgrade deployed via SCCM, has anyone managed to do this successfully if so, any advice please im struggling with where to start?

 

Thank You

[Surface Go 2 PXE Issues]

Has anyone managed to get a Microsoft Surface Go2 (LTE Model) to PXE boot successfully?, I have just got a model in to test and I'm unable to get it to PXE boot correctly, it just sits at waiting for approval.  I've tried booting using a surface dock 2, i have also tried with the official USB C adaptor and it wont boot.  I've updated the firmware to the latest version, I have also added the MAC in the hierarchy settings in SCCM to allow duplicate hardware identifiers.  I'm currently running on v 2010 and ADK 2004. 

[SCCM Upgrade]

I am in the process of upgrading our SCCM infrastructure from Svr2008R2 and SQL2008R2 to 2012R2 so I can upgrade to current branch.  We are doing in-place upgrades, to 2012R2 on our Primary Site and also our separate DB server.  Our DBA is going to start by upgrading our SQL version to 2014 on the box and they have asked the question where do these facets attached to the database come from and how are they generated, as the DBA plans on detaching backing up and re attaching the DB, they said these facets will not be carried over.  Are these facets generated by SCCM and will they continue to exist after the version of SQL is upgraded and the database reattached?. 

I have attached a screenshot of the facets in question.

 

Thanks

 

 

[MDT and Bitlocker Offline PC]

I seem to remember that you need to enable settings in the registry in order to install bitlocker when away from MBAM/AD.  I Use the following reg entries on mine when they are standalone PCs

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethod"=dword:00000002
"DisallowStandardUserPINReset"=dword:00000000
"OSEnablePrebootInputProtectorsOnSlates"=dword:00000001
"UseAdvancedStartup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000000
"UseTPM"=dword:00000002
"UseTPMPIN"=dword:00000002
"UseTPMKey"=dword:00000000
"UseTPMKeyPIN"=dword:00000000

[query that returns only IE 11 installations?]

I make sure my Software Inventory in my client settings is collecting from my program files and use the following query

 

select distinct SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FilePath like "%prog%internet%" and SMS_G_System_SoftwareFile.FileVersion like "11.%"

[OSD en-GB always has en-US]

Here's a copy of one of my unattend.xml files with just the language changed to EN-GB if it helpsWin7x64_Unattended.xml

[SCCM 2012 R2 SP1]

Jorgen thanks for the post, ill go ahead and schedule my upgrade now.

 

 

 

Thanks

 

Damo

[SCCM 2012 R2 SP1]

Quick question, do I need to apply the cumulative updates if I am running SCCM2012 R2 CU3 before I upgrade to SCCM2012 R2 SP1? or will the SP1 install take care of the previous features and updates?

 

 

Thanks

 

Damo

[Bitlocker and TPM Management]

Config Mangler it has a Microsoft One. I have been given a tool by Panasonic which when you extract the TPM owner password from MBAM or locally, allows for the TPM threat level to be reset each time the user logs in. Its a pain in the backside but at least it allows me to stop the TPM getting locked out by the user.

[Bitlocker and TPM Management]

Its TPM Spec is 1.2 and the manufacturers version of 4.32

[Bitlocker and TPM Management]

I seem to have an issue where I cannot control the behaviour of our TPMs in our Panasonic Devices via Group Policy. I have issues where the TPMs (Manufactured by Infineon) in our Panasonic AX3s seem to lockout far too easily, previously I have not applied any group policy settings to control the behaviour of the TPMs themselves as during testing they seemed fine. Now I have tried to apply settings to set the standard user lockout threshold and maximum number of authorisations, on our Panasonic Devices I cannot seem to set these settings, its like the TPM ignores the commands from group policy. I have tried this on some Lenovo devices (TPM is manufactured by STM) built in exactly the same manner and the TPM will accept the commands. Has anyone else had this issue with these or similar devices at all?, all of our devices are built identical with the TPM being initialised during a build sequence and they are setup with Bitlocker using MBAM 2.0. Any help would be most appreciated.

 

 

Thanks

 

[Client Settings - Software Updates]

Honestly tried my best to convince the MS support engineer that these were our symptoms, I had seen that article recently and because we didn't have exactly the same error code only the symptoms he just wouldn't accept that it was the same, I offered to test any hotfix in development as well. My hair is going grey over this I now have had to turn off updates scan cycle on my clients now to stave off these symptoms. We are looking to update those clients on 2gb but it takes time to replace or upgrade these machines and seeing as 2gb is the recommended by MS it's pretty frustrating. Thanks for listening and replying Garth.

[Client Settings - Software Updates]

That unfortunately is the crux of the problem, I have Microsoft looking at the issue and they cant seem to find a problem, my issue is that clients I have that have 2GB of RAM on them, when CCMEXEC runs an update scan those clients with 2GB of RAM are grinding to a halt and the PC unfortunately becomes un-useable for my users.

[Client Settings - Software Updates]

Quick question, do I need to have the client settings for Software Updates enabled in order to use an ADR to apply Forefront Client DAT (SCEP) updates to clients, we have an issue with the WUA agent on our clients and I want to disable software updates scans until Microsoft resolve the issue but I don't want to stop our DAT files going out to our clients.

 

 

Thanks

[SCCM 2012 CU3 Update]

Thanks for the Info, that's one less thing to worry about !

[SCCM 2012 CU3 Update]

I am updating my SCCM 2012 R2 box to CU3, I don't however want to update all of the clients straight away. If I don't update them will I lose any client functions such as remote control or push application installation?

 

 

Thanks