Leaderboard

Do follow steps 1) delete c:\windows\system32\GroupPolicy\Machine\Registry.pol 2) Gpudate /force 3)initiate Machine policy , software update and evaluation.

@anyweb, thank you for your availability and troubleshooting. I have figured out the problem. The issue stemmed from the fact that I was primarily working with headless computers in my environment. Even though I was running MSTSC with the /admin or /console switch, I never properly checked if the established session was, in fact, a console session. This is why the policy would fail, and we would see errors in the logs when the policy attempted to launch the MBAM UI. I didn’t realize this until I revisited my VMs and accessed them through the console, instead of connecting via MSTSC. On existing, imaged devices, I was able to resolve the issue by manually interacting with a few devices using SCCM's remote control viewer, which establishes a console session. After logging in via SCCM’s remote viewer, the BitLocker policy executed and encrypted the drives without any issues. For anyone else in your community facing a similar problem, I addressed the headless computer issue by creating a task sequence during OS deployment. This ensures that devices are imaged with the appropriate BitLocker settings that align with my BitLocker policy. This way, all imaged devices are compliant from the start, and SCCM can still report compliance for these devices, since the policy settings are consistent and encryption is not required. Since I will mostly be accessing the headless computers via MSTSC, this solution works well for my environment.

Sorry to hear that. Thank you for the reply.

Another point of reference I wrote a few years back can be found on our blog here!

Ok, fixed it. In case anyone else ends up with this issue; the problem in this case was trusted site settings. For some reason the "include all local (intranet) sites" option was not being respected and the fqdn of the primary site; cmserver.corp.com had to be added to the local intranet zone. The company portal logs shows that an exception occurred when calling the config manager user service Exception of type MessageSecurityException has been thrown. Detailed message: MessageSecurityException handled when trying to query the User Service with using... and that the Config Manager user service is using Windows Authentication 76xxxxxa-0xxa-4a6e-911f-fxxxxxxx9 2-1-1 Configuration Manager User Service is using Windows Auth. IIS logs on site server shows no authenticating users but a series of 401 returns to requesting client. When the client is on the Internet the company portal logs shows that the user service is contacted using AAD Auth instead of Windows auth so in that case no Integrated authentication was attempted. After adding the site server to the local intranet zone and re-launching the company portal all apps were displayed and no auth failures were logged

hi @RobsonM, thanks ! this tool does not migrate any of the users data, but ... it also doesn't delete anything so the users data (files apps etc) is still stored and hidden in their old profile located in C:\Users\<username.old> if you really want to migrate their data then you'll need to customize the scripts and/or use a 3rd party tool for that cheers niall

hi @shintest, i'm working on it just now so plan on releasing yet another release soon, please stay tuned !

In case anyone else encounters this, the issue is that using the run as feature in a task sequence that isn't OSD seems to require an account with interactive login. If it's an OSD task sequence, interactive login is not required. I had to call the credentials in the script and use a variable for the password to get around this.

I have uninstalled the old ADK and installed the new one. version, 10.1.26100.1. Upgrade the Boot Image and recreate new MDT TS Now it is working and I can deploy my OS or Application with MDT and UDI

yes but it won't help the MDT issue, i've informed the Microsoft Product group about this, let's see if they respond.

renewing certificates isn't so bad, have a read of my guide here > https://www.niallbrady.com/2020/08/16/how-can-i-replace-an-expired-iis-certificate-in-a-pki-enabled-configmgr-environment/

hi @dipalma thank you for trying out my solution, this code is 'as is' and it's up to you to make it work in your environment, you can rem out all the scrolling by editing the associated log file, but what you really should have seen is the full screen status screen and not the powershell logging what that means is something probably failed which is why you are seeing the powershell cmd instead of the status screen, feel free to post your logs here and i can take a look. that said, i'm still working on it and will hopefully have a newer version of it to release in the coming month or two with a LOT of bug fixes and improvements cheers niall

Hi guys Havent posted here in so long Firstly. DO you think its worth having a Microsoft Edge ( Chromium) forum section? I think more people will be deploying this now, especially with the nice enterprise stuff its got with SCCM integration tools ok now to my question I am currently working on deploying New Edge to my org. We currently use IE11 for legacy sites in compatibility mode with a website list in xml format sitting on all our users computers. IE looks for this site and opens it in compatibility mode This xml file is created using Enterprise Site Manager v1 WHen checking out how to make an xml for New edge. It says theres a v2 https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance It says I wont get the benefits if I continue to use v1 but doesnt explain the benefits? What are they? We already have a list of sites in a v1 schema so I want to know if I should change it to v2 scheme for my MS new edge deploying for IE mode

If you use/have PowerShell built into your WinPE image, you could avoid using any files at all with this one-liner in the "Prestart command settings">"Command line" box: powershell.exe -noprofile -command "$TSEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment;$TSDeploymentID = Read-Host 'Enter the TS Deployment ID: ';$TSEnv.Value('SMSTSPreferredAdvertID') = $TSDeploymentID" Partly leaving this here so I can find it in future. ?