Jump to content


Recommended Posts

Quote

Excellent guides, thankyou!

thanks !

as regards your problem I'm not using TPM+PIN, have you tried with just TPM only ? does it work there or same issue ?

Share this post


Link to post
Share on other sites
14 hours ago, anyweb said:

thanks !

as regards your problem I'm not using TPM+PIN, have you tried with just TPM only ? does it work there or same issue ?

It works but wouldn't have the same issue, as no PIN is asked for. If removing PIN, Bitlocker recovery is not required, it will just boot into windows without asking for the PIN... Our problem is specifically when using a PIN and requiring recovery if a user forgets their PIN.

Share this post


Link to post
Share on other sites

ok i've you are using the latest version of ConfigMgr, and you still see the issue then please raise a case with Microsoft

Share this post


Link to post
Share on other sites

Hi All

I have 2 questions which i need clarification on. as im working through the planning stage to migrate a standalone mbam solution into my sccm solution. 

1) Am I right in thinking that if I want to set up a new server for the new mbam portals , the only requirement from sccm is that I install the management role on it. Once thats on i can then go ahead and install the mbam portals then https enable them.

2) This brings me onto question 2. As i was reading the Microsoft article (https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data-transit) it states

Note

If your site has more than one management point, enable HTTPS on all management points at the site with which a BitLocker-managed client could potentially communicate. If the HTTPS management point is unavailable, the client could fail over to an HTTP management point, and then fail to escrow its recovery key.

This recommendation applies to both options: enable the management point for HTTPS, or enable the IIS website that hosts the recovery service on the management point.

 

So does this mean every management point i need to install the recovery service on AND then enable the IIS website?  (Is this done when you run the ps scripts to create the portals??)

OR

Just make sure i have at least more than one? Especially if im thinking a global solution?

 Last thing 

Im migrating the current solution which has bitlocker group policies so if i deployed the sccm bitlocker policy would there still be a conflict even if i matched the policies? The reason why i ask is i noticed on Nials excellent videos that the reporting server changed. So i was trying to work out which reporting server would win? The sccm one or the current mbam server.

My thinking is:

1) turn off group policy and deploy the sccm policy (testing and tweaking in test before prod) so no conflict and machines are instantly covered by the new sccm policy

2) I have to do a phased approach - cant turn off the old policy as machines are unprotected. If i deploy the sccm policy will there issues with machines reporting to the reporting server (ie group policy overriding the sccm reporting server)

3) I have to do a phased approach - either move machines to a new ou (highly doubtful) or create security group which is excluded from current bitlocker policies and add machines in here which get the sccm policy applied.

 

Any thoughts most appreciated

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...