Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Imraz

  • Rank
  1. is this WQL or SQL? where do you apply this code? Thanks again.
  2. I will look into this further, but is this required for the internet clients? I have to do some proper digging into PKI before making these kinds of mods if needed in production.
  3. yeah that error can have many different causes not necessarily related to your exact setup, anyway Justin from PatchMYPC has exactly what i need for now for some POC's. I will revisit this nice thread afterwards.
  4. Anyway I went to the doctor about a headache and got taken in to be treated for open heart surgery and a colonoscopy. This video from Patch My PC references this detailed undertaking but it has exactly what i needed to get a POC started in my LAB, this is all I needed for now:
  5. for Step 6, also I'm not using an offline Root CA, in fact I'm using the Root CA on the DC in my lab, when I run the CRL component, I see it is successful, I can confirm the new entry in Adsiedit. but with the CRT, it does not work. I get this error: CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) Certutil: Parameter is incorrect. looking about I don't have the registry entry thats meant to be there as per this good article: https://social.technet.microsoft.com/wiki/contents/articles/12035.ad-certification-authority-web-enrollment-configuration-failed-0x8
  6. I have run the OID script on an unrelated machine and I have been given this: 1.2.840.113556.1.8000.2554.4056.31062.24957.18466.39108.9288047.13760481 I don't know if this is an OID? Do you know what this mean Niall? thank you again.
  7. I see this website https://freeoid.pythonanywhere.com/getoid I wonder if just create it here and update the capolicy file, Its because I have no idea what that script does. I will run that script on a machine anyway to see what it does. I will be too scared to any OID stuff on our prod environment... I cannot see me doing this. This lab is informative, but no way can this PKI setup be on our prod. I also only wanted to know how to just use IIS for bitlocker recovery keys, now I'm building 20 servers in a lab haha
  8. I would love to know how and where I'd get this "OID". I saw someone talking about an IANA registration earlier, but surely!!!! surely!! PKI's are not THIS convoluted? I just normally see a root ca hanging of a DC... Hi Niall, How exactly do step 4 run that script as is or modify it? if I modify it what do I modify? I don't want to assume. I also have no idea how ( or course I'm missing something) anyone understands what you said to do there..... reminds me that I might not be in the right industry? do I just modify that script? or run it on the issuing CA? also now that I'm in part 5
  9. ha, the funny thing is that link you sent me was the first article I read in relation to this. It would appear that I have missed a bit. I will go through it again though and find what I'm looking for.
  10. Thanks Niall, yes apologies in my incorrect wording. IIS hosting the "recovery service". I'll look into that link you sent me.
  11. Hi all, I'm configuring a lab here for SCCm 2002 and I am looking at implementing bitlocker. I have been reading that from 2002, we don't need to enable https through out the MP to encrypt the recovery keys, we can just enable it on IIS. The problem I have is I have no idea how to do this. I quote Niall here from another post: "if you choose to not use PKI in your infrastructure then you need to add a PKI-based server auth cert to the IIS website hosting the recovery service – this can be the same cert you used when configuring HTTPS on the MP or another PKI-issued cert if not using HTTPS
  12. Hello, I'm just trying to figure out how to even do this, can anyone please point me in the right direction?
  • Create New...