anyweb

interesting, what version were they running prior to this ?

great Nancy, what did you do exactly so others may learn

and if you rdp to one of these machines and launch the console, does it work ?

what does the SMSAdminUI.log tell you (on their pc) ?

the ruleengine.log should give you some clues as to why it's taking time to do what you expect, take a look at this old blog post which will hopefully give you some ideas about going deeper with your troubleshooting

have you looked at your SQL firewall ports on the primary, there are several errors connecting to it in the start of the log *** [08001][2][Microsoft][SQL Server Native Client 11.0]A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online. *** Failed to connect to the SQL Server, connection type: SCCM02-SHA.company.LOCAL MASTER. ERROR: Failed to connect to SQL Server 'master' db.

can you share the entire ConfigMgrPrereq.log, feel free to remove any private info first

on that server open a cmd prompt and do gpupdate /force if there's anything 'wrong' with the domain join, that'll tell you, particularly if it was a domain joined vm that was snapshotted back in time, that can drop the trust relationship

have you tried adding this to your unattend.xml ? <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"> <OOBE> <HideEULAPage>true</HideEULAPage> <ProtectYourPC>1</ProtectYourPC> <HideLocalAccountScreen>true</HideLocalAccountScreen> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <SkipUserOOBE>true</SkipUserOOBE> <SkipMachineOOBE>true</SkipMachineOOBE> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> </OOBE> <RegisteredOrganization></RegisteredOrganization> <RegisteredOwner></RegisteredOwner> <TimeZone></TimeZone> </component> </settings> <cpi:offlineImage cpi:source="wim://<server-name>/<share-name>/operating%20systems/windows%2010%20education%20x64%201703/sources/install.wim#Windows 10 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>

while you are at it check out https://techcommunity.microsoft.com/t5/windows-it-pro-blog/don-t-wait-for-june-15th-set-your-own-ie-retirement-date/ba-p/3298143

great that you got it working ! now regarding your UPN, you'll have to modify the script to work with your custom layout, and modify the $user and $upnsuffix variables to suit your environment, that's up to you to solve you might need to pull this info from Active Directory if it's available there

it must run under system context, so set it like i show in the picture below

hi @ryand274 did you modify the step to create the scheduled task in any way, it's very sensitive to any changes secondly, how are you testing this, i'd recommend you take a look at part 3 where I explain how to troubleshoot things

if you want the device bitlockered BEFORE a user logs on then do it via OSD as I explain here https://www.niallbrady.com/2022/03/06/new-video-escrow-bitlocker-recovery-password-to-the-site-during-a-task-sequence-in-configuration-manager-2203/

yes a user must be logged on, i've got my new lab at 2203 now in e-http mode, i haven't enabled Bitlocker Management yet for reports check my posts on that here

it takes time to get my lab up and running, and i have a day job, but i'm working on it... i'll let you know when i'm done

i'll get one of my labs up to 2203 without bitlocker management, and try testing this...

and this is using e-http instead of PKI ? is everything else working fine in this environment eg: deployment of applications to the client ?

there must be something missing, how are you connecting to the VM exactly ? are you RDP'ing to it (don't do that) or connecting to it from within the hyperv host secondly, have you tried creating a brand new vm with a virtual TPM (and no iso mounted) to see does it behave differently and lastly, don't use the section highlighted here (set it to disabled), this is for pre-Windows 10 operating systems...

well you didn't get that prompt before so i think that's a step forward, how have you configured this ? To force encryption without intervention you must set the Encryption Policy Enforcement Settings to Enabled and set the non compliance grace period (days) to 0 if you want it to start as soon as possible

eject the ISO in the drive. and see what happens bitlocker won't encrypt if there is a CD present...

ok does the client have a virtual TPM, and is it enabled ? what encryption settings have you set in your bitlocker management policy ?

the thing is, i don't think they are needed any more as the recovery is handled by the management point and not by any mbam recovery service (like it used to be) that would explain why you get an 'warning' in the logs and not an 'error'

the following article has some good tips for setting it up http://woshub.com/password-policy-active-directory/

well things changed after 2103 i think, and instead of the mdop agent handling communication to the recovery point the cmagent took over, so it could be related to that,