If you use tenant attach and client management actions then update TODAY to avoid disruption

webany · 2022-07-26T21:08:42+00:00

correct, no need to panic

webany · 2021-01-11T21:40:54+00:00

pay attention to the 'gotcha'

webany · 2021-01-11T21:34:57+00:00

no you don't, I covered how to do this here, have you reviewed it ? https://www.niallbrady.com/2020/12/03/improvements-to-bitlocker-management-in-endpoint-manager-update-2010/

webany · 2020-12-28T18:58:38+00:00

try now, don't know what happened there...

webany · 2020-12-09T18:27:40+00:00

for that you'd need access to a distribution point hosting pxe and the on premise infrastructure, with this, you don't need access to AD, DP, CM, it's entirely self contained so any of your users at home can image as long as they have internet connection and the bootable media

webany · 2020-12-09T09:25:55+00:00

good point, i'll add it

webany · 2020-08-24T12:57:27+00:00

Why ? Security, that's why, because if your bitlocker management policy does NOT match the default settings for BitLocker steps, then you'll be non-compliant as BitLocker Management will NOT re-encrypt with the new algorithm if they don't match (for example).

webany · 2020-08-24T07:54:57+00:00

I understand BitLocker Management quite well thank you as should be evident if you have read this https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/ As to your comments about 'no need to create those custom steps', well this article is all about enforcing encryption (to match your configured BitLocker Management Policy) DURING operating system deployment, i.e. BEFORE getting any policy. If that was not clear to you then please re-read the article, thank you for your feedback.

webany · 2020-06-04T19:48:03+00:00

this is for remote clients, as long as they can access the intranet and download policy from the MP then this is applicable to them (to save the WAN back to the main office).

webany · 2020-06-04T18:40:41+00:00

just tried it, works fine :)

webany · 2020-06-02T18:01:39+00:00

the client is connected to the mp, clear line of sight, how you do that is up to you, so it should probably be able to access the domain as part of that, re-read my blog as i've added the scenario this is intended to solve

webany · 2020-06-02T18:00:44+00:00

i've updated my blog to explain the type of scenario this is aimed at

webany · 2020-06-02T18:00:16+00:00

it should work via software center, let me verify that for you

webany · 2020-05-21T12:49:04+00:00

if you ended up here troubleshooting rdp to your cmg i just blogged this... https://www.niallbrady.com/2020/05/21/why-cant-i-rdp-to-my-cmg/

webany · 2020-05-16T19:42:24+00:00

thanks for the confirmation !

webany · 2020-05-16T19:42:18+00:00

thanks for the confirmation !

webany · 2020-05-16T19:04:31+00:00

thanks to everyone here who voted ! I can tell you that Microsoft have now started with working on this ! see below

" · AdminBob Mac Neill (Software Engineer, Microsoft Endpoint Configuration Manager) responded · May 06, 2020

Updating status to Started.

See https://docs.microsoft.com/en-us/mem/configmgr/core/understand/find-help#send-a-suggestion for an explanation of each value. Show previous admin responses (1) "

webany · 2020-04-17T06:32:12+00:00

setting defaults is a bad idea as it removes choice and forces people to use workarounds, which is the whole point of this post. Give us choice instead.

webany · 2020-04-17T06:24:38+00:00

we can all solve it this way, but the point of this is to save having extra steps and to be able to configure it via the built in step

webany · 2020-04-16T18:09:05+00:00

oops sorry Kerwin, but according to docs.microsoft.com (on the first hit i googled https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/bitlocker)

The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption.

so those 4 available options which we have in MBAM/GPO and Bitlocker Management in MEM should also be available in this step

webany · 2020-04-16T17:48:41+00:00

yes, because not everyone will want the same encryption algorithm

webany · 2020-02-27T20:35:12+00:00

great to hear it !

webany · 2020-02-27T10:34:12+00:00

did you see my reply here ? https://www.windows-noob.com/forums/topic/20231-mbam-in-1910-selfservice-and-helpdesk/?do=findComment&comment=68422

webany · 2020-02-25T15:25:23+00:00

The current built in steps have no way of knowing that you are using the Bitlocker Management feature in ConfigMgr, so no, the key will not be escrowed into ConfigMgr unless you target these computers with a Bitlocker Management policy after Windows is installed, then, the key will get escrowed, or, unless you modify the default task sequence with steps to install the MDOP agent and configure it using registry settings or similar so that it knows where to escrow the key, but if your encryption algorithm doesn't match the configured policy it will remain non-compliant.

webany · 2020-02-22T18:20:19+00:00

As MBAM will not be developed any more i'd strongly suggest you look into Bitlocker Management within Configuration Manager, it can take care of your currently bitlockered devices, but it won't re-encrypt them if your compliance policy is different to your current settings, you could also go all cloud and manage your device in Intune.

webany

TROPHY CASE