Imraz

is this WQL or SQL? where do you apply this code? Thanks again.

I will look into this further, but is this required for the internet clients? I have to do some proper digging into PKI before making these kinds of mods if needed in production.

yeah that error can have many different causes not necessarily related to your exact setup, anyway Justin from PatchMYPC has exactly what i need for now for some POC's. I will revisit this nice thread afterwards.

Anyway I went to the doctor about a headache and got taken in to be treated for open heart surgery and a colonoscopy. This video from Patch My PC references this detailed undertaking but it has exactly what i needed to get a POC started in my LAB, this is all I needed for now:

for Step 6, also I'm not using an offline Root CA, in fact I'm using the Root CA on the DC in my lab, when I run the CRL component, I see it is successful, I can confirm the new entry in Adsiedit. but with the CRT, it does not work. I get this error: CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) Certutil: Parameter is incorrect. looking about I don't have the registry entry thats meant to be there as per this good article: https://social.technet.microsoft.com/wiki/contents/articles/12035.ad-certification-authority-web-enrollment-configuration-failed-0x80070057-win32-87.aspx Anyway I think this PKI is too much of an undertaking that will never be replicated in our Prod. Surely there is a much simpler way to just get the some encryption for https traffic on SCCM. Will look at other sources for deploying bitlocker via SCCM.

I have run the OID script on an unrelated machine and I have been given this: 1.2.840.113556.1.8000.2554.4056.31062.24957.18466.39108.9288047.13760481 I don't know if this is an OID? Do you know what this mean Niall? thank you again.

I see this website https://freeoid.pythonanywhere.com/getoid I wonder if just create it here and update the capolicy file, Its because I have no idea what that script does. I will run that script on a machine anyway to see what it does. I will be too scared to any OID stuff on our prod environment... I cannot see me doing this. This lab is informative, but no way can this PKI setup be on our prod. I also only wanted to know how to just use IIS for bitlocker recovery keys, now I'm building 20 servers in a lab haha

I would love to know how and where I'd get this "OID". I saw someone talking about an IANA registration earlier, but surely!!!! surely!! PKI's are not THIS convoluted? I just normally see a root ca hanging of a DC... Hi Niall, How exactly do step 4 run that script as is or modify it? if I modify it what do I modify? I don't want to assume. I also have no idea how ( or course I'm missing something) anyone understands what you said to do there..... reminds me that I might not be in the right industry? do I just modify that script? or run it on the issuing CA? also now that I'm in part 5, i am getting more confused how this will work in our prod as our prod is nothing like this lab at all.....

ha, the funny thing is that link you sent me was the first article I read in relation to this. It would appear that I have missed a bit. I will go through it again though and find what I'm looking for.

Thanks Niall, yes apologies in my incorrect wording. IIS hosting the "recovery service". I'll look into that link you sent me.

Hi all, I'm configuring a lab here for SCCm 2002 and I am looking at implementing bitlocker. I have been reading that from 2002, we don't need to enable https through out the MP to encrypt the recovery keys, we can just enable it on IIS. The problem I have is I have no idea how to do this. I quote Niall here from another post: "if you choose to not use PKI in your infrastructure then you need to add a PKI-based server auth cert to the IIS website hosting the recovery service – this can be the same cert you used when configuring HTTPS on the MP or another PKI-issued cert if not using HTTPS." , but again I have no idea how to get to it. If someone could show me where in IIS I am "hosting" said recovery keys, that would really be appreciated. I have enable bitlocker management, created a policy, and selected 'enable plain text recovery keys". Now it seems I cannot create another policy without plain text recovery keys. My primary concern however is know how and where I can "host" recovery keys on IIS. I have uploaded a screenshot from my lab here an I hope this helps someone as I do not know what I need to do here. Thanks again.

Hello, I'm just trying to figure out how to even do this, can anyone please point me in the right direction?