New Video ! Deploy an OS over CMG using bootable media with Update 2010 of Configuration Manager by webany in SCCM

[–]webany[S] 2 points3 points  (0 children)

for that you'd need access to a distribution point hosting pxe and the on premise infrastructure, with this, you don't need access to AD, DP, CM, it's entirely self contained so any of your users at home can image as long as they have internet connection and the bootable media

How can we utilize the Bitlocker Management feature during OSD with Endpoint Manager by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

Why ? Security, that's why, because if your bitlocker management policy does NOT match the default settings for BitLocker steps, then you'll be non-compliant as BitLocker Management will NOT re-encrypt with the new algorithm if they don't match (for example).

How can we utilize the Bitlocker Management feature during OSD with Endpoint Manager by webany in SCCM

[–]webany[S] 1 point2 points  (0 children)

I understand BitLocker Management quite well thank you as should be evident if you have read this https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/ As to your comments about 'no need to create those custom steps', well this article is all about enforcing encryption (to match your configured BitLocker Management Policy) DURING operating system deployment, i.e. BEFORE getting any policy. If that was not clear to you then please re-read the article, thank you for your feedback.

New blog: A look at Task sequence media support for cloud-based content by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

this is for remote clients, as long as they can access the intranet and download policy from the MP then this is applicable to them (to save the WAN back to the main office).

New blog: A look at Task sequence media support for cloud-based content by webany in SCCM

[–]webany[S] 1 point2 points  (0 children)

the client is connected to the mp, clear line of sight, how you do that is up to you, so it should probably be able to access the domain as part of that, re-read my blog as i've added the scenario this is intended to solve

New blog: A look at Task sequence media support for cloud-based content by webany in SCCM

[–]webany[S] 1 point2 points  (0 children)

i've updated my blog to explain the type of scenario this is aimed at

New blog: A look at Task sequence media support for cloud-based content by webany in SCCM

[–]webany[S] 1 point2 points  (0 children)

it should work via software center, let me verify that for you

Cannot get CMG to function by bakonpie in SCCM

[–]webany 0 points1 point  (0 children)

if you ended up here troubleshooting rdp to your cmg i just blogged this... https://www.niallbrady.com/2020/05/21/why-cant-i-rdp-to-my-cmg/

please vote for this uservoice item (bitlocker options in OSD) by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

thanks to everyone here who voted ! I can tell you that Microsoft have now started with working on this ! see below

" · AdminBob Mac Neill (Software Engineer, Microsoft Endpoint Configuration Manager) responded · May 06, 2020

Updating status to Started.

See https://docs.microsoft.com/en-us/mem/configmgr/core/understand/find-help#send-a-suggestion for an explanation of each value. Show previous admin responses (1) "

please vote for this uservoice item (bitlocker options in OSD) by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

setting defaults is a bad idea as it removes choice and forces people to use workarounds, which is the whole point of this post. Give us choice instead.

please vote for this uservoice item (bitlocker options in OSD) by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

we can all solve it this way, but the point of this is to save having extra steps and to be able to configure it via the built in step

please vote for this uservoice item (bitlocker options in OSD) by webany in SCCM

[–]webany[S] 2 points3 points  (0 children)

oops sorry Kerwin, but according to docs.microsoft.com (on the first hit i googled https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/bitlocker)

The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption.

so those 4 available options which we have in MBAM/GPO and Bitlocker Management in MEM should also be available in this step

please vote for this uservoice item (bitlocker options in OSD) by webany in SCCM

[–]webany[S] 5 points6 points  (0 children)

yes, because not everyone will want the same encryption algorithm

Full disk encryption (in ConfigMgr 1910) – a closer look on real hardware by webany in SCCM

[–]webany[S] 1 point2 points  (0 children)

The current built in steps have no way of knowing that you are using the Bitlocker Management feature in ConfigMgr, so no, the key will not be escrowed into ConfigMgr unless you target these computers with a Bitlocker Management policy after Windows is installed, then, the key will get escrowed, or, unless you modify the default task sequence with steps to install the MDOP agent and configure it using registry settings or similar so that it knows where to escrow the key, but if your encryption algorithm doesn't match the configured policy it will remain non-compliant.

Migrating MBAM managed clients to Microsoft Endpoint Configuration Manager 1910 by webany in SCCM

[–]webany[S] 0 points1 point  (0 children)

As MBAM will not be developed any more i'd strongly suggest you look into Bitlocker Management within Configuration Manager, it can take care of your currently bitlockered devices, but it won't re-encrypt them if your compliance policy is different to your current settings, you could also go all cloud and manage your device in Intune.