anyweb

you need to grab a copy of the unattend.xml that is created in c:\windows\panther\unattend just before the computer reboots attach it here and we'll see what's wrong with it...

Introduction Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities. In a previous blog post you looked at the Self Service feature for end users. This blog post will look at the Help Desk feature. But first, why would a user need to call a help desk (in relation to MBAM). Here’s why. If a user gets locked out of their Windows computer that is encrypted with BitLocker and provided that that computer is Managed by MBAM integrated with SCCM, then when BitLocker Recovery is triggered (by things like bios changes, software updates etc), in order to gain access to the computer, they’ll need to unlock it and for that they’ll need the recovery key, either via Self Service which I already covered or by calling the Help Desk. Some people cannot handle fixing things themselves and always opt for calling the help desk as they want personnel to help assist them in their time of need. Creating Users and User Groups for MBAM At the help desk, you have different levels of users and depending on which user group they are in, they can get more advanced functionality. However, to gain access to this functionality requires that the help desk user is a member of a group specified when you setup MBAM. If you’ve been following my latest SCCM setup guides here, in Part 2 you’ll see that there is a PowerShell script to create users and user groups in Active Directory, including Service Accounts, for functions such as MBAM. You can see the creation of these user groups below and you can download the script(s) used here. This script creates some MBAM related users/groups which are shown below. The Help Desk function uses the MBAM_HD user group when I set it up as specified here. That user group is the one you use when setting up MBAM within Configuration Manager using the following script. I’ve marked in bold the bit which decides what user group belongs to the Help Desk. .\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both You can of course create user groups with your own naming standard for your company as appropriate, this is only an example of how to set it up. What is important however, is that you add users to that user group, as those users will be able to access the Help Desk abilities in MBAM to provide support to your users. Help Desk User versus Help Desk Advanced User The script used above for creating users and user groups creates two Help Desk user groups, one for help desk users and another for help desk advanced users. All you have to do is add users to the appropriate user group, those user groups are called: MBAM_HD MBAM_HD_Adv The MBAM_HD user group contains users that are help desk users and they have the following abilities. Provides access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website. Individuals who have this role must fill in all fields, including the end-user’s domain and account name, when they use either area. The MBAM_HD_Adv user group contains users that are help desk advanced users and they have the following abilities. Provides access to all areas of the Administration and Monitoring Website. Users who have this role enter only the recovery key, and not the end user’s domain and user name, when helping end users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Users Group permissions. Note: For more info about these user groups see this post from Microsoft. Note: I’ve manually created the two users below, the script does not create them as it expects you to add users the user groups your self. So Let’s add a user called HelpDeskUser to the MBAM_HD user group. And let’s add a user called HelpDeskAdvanced to the MBAM_HD_Adv user group Help Desk User Logon to a computer as HelpDeskUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk You should see the following, note that the user logged on is displayed in the top right of the website: If the help desk user clicks on Drive Recovery to assist a user calling in for BitLocker Recovery, they will see the following. The need to enter all fields provided including a reason for the request before clicking submit. After submitting the request they can assist the user by providing them the drive recovery key. Note that they can copy it to (for example) email the BitLocker recovery key to the user or save the key locally (to email to the user or give it to them over the phone) or create a .keypackage to be used when recovering corrupted drives. They can also Manage the TPM (Trusted Platform Module) via the Manage TPM link, After filling in the needed info, clicking on Submit reveals the TPM Owner Password. Help Desk Advanced User Logon to a computer as HelpDeskAdvancedUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk You should see the following, note that the user logged on is displayed in the top right of the website: As before, this user can assist users with Drive Recovery operations, however now it’s easier (and quicker) to do as they only are required to enter the Key ID and Reason for the recovery. And after clicking submit, the same choices are available as for the Help Desk User. For Manage TPM, again, there are less ‘required’ items to fill in for the Advanced help desk user (only 3 items are required to fill in versus 5 for the help desk user). And after clicking submit, the TPM Password owner file is presented. So there you have it, a help desk functionality for MBAM is provided within SCCM as of System Center Configuration Manager Technical Preview version 1909. Do check it out, it’s awesome ! In the next blog post I’ll look at MBAM reporting. Related reading https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2 https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

Introduction Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities. In this blog post we’ll look at the Self Service feature for end users. Self Service What is the Self Service feature ? well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them. To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant. And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with manage-bde -protectors -get c: BitLocker Recovery But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem. So let’s see how that plays out. As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something (bios change etc) has prompted it to do so. The end user has two choices here, call their internal help desk or solve it themselves using self service. So how does MBAM Self Service work The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept. Customizing the Self Service Portal Notice how the page and notice text are customized for the organization. To make those changes simply locate the Notice.txt file in your MBAM self service installation folder, in this technical preview release it's located here. C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website and edit the notice.txt as Administrator (you may have to open the file via an administrative command prompt to save the changes). I added the following text: Welcome to the windowsnoob Microsoft BitLocker Management Solution ! By using this web site you agree that all your actions are logged, do not use this service for gaining access to computers encrypted file system without proper authorization. Save the file and then open Internet Information Services (IIS), and expand the Self Service app. Click on Application Settings. In Applications Settings, modify CompanyName from Contoso IT to your company name. The Self Service experience Once the user accepts the notice they can click on Continue. They are then presented with recovery options. Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options: BIOS/TPM changed OS Files modified Lost PIN-Passphrase And then click on Get Key. The Recovery Key is displayed in (2). That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device. Once entered, the user can boot their computer and all is fine. Job done ! For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here. Related reading https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25 On-premises BitLocker management using System Center Configuration Manager How can I get BitLocker Recovery Keys from the ConfigMgr database How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant” https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329 In the next blog post I’ll show you how the Help Desk functionality works. until next time, cheers niall

you didn't post the error, so to help you... can you do that and/or include logs

might be nice of you to include what you did to solve your own issue in case someone else has the same problem later on.

ok good point i'll modify the guide, my main goal was installing it via PowerShell so I missed this, thanks !

sometimes only the cat/sys and inf are needed, sometimes more than that, each driver/hardware device has different requirements, also the inf itself may point to additional files and that's why they are sometimes required. If in doubt start with the cat/sys/inf and try importing that, if it works all is good, if not look at the contents of the inf file to see what files it expects to be added.

im not following you, can you clarify please

did you try set-executionpolicy unrestricted ?

i'd start with looking at all the things mentioned in the error, one by one,

check your RBAC settings, i.e. are you in a group that is a member of some group that has access to run the console

here's your hint, if you look at part 1, the ConfigureADDS.ps1 script configures ADDS (active directory domain services) and then creates a new script, and then restarts the server and runs the new script after the restart. you could use that method to achieve the same thing

if you restart the server, and run the pre-req again what does it say ? if it's still the same attach the log here.

is anything else waiting for a restart on this computer like windows updates or something ? or somethign stuck in the registry ?

you'd need to look at my PowerShell script for installing SQL Server 2017, and configure it to produce the output you require, then test it.

Good afternoon! I study these cool manuals, Very cool! thanks ! the goal is to learn how to setup ConfigMgr in a lab from start to finish, either using manual methods or automated using PowerShell, the goal of the GPO is simply to allow you to automate the making of a user as a local admin on the ConfigMgr server, it's optional

please post separate problems as new topics, that way it won't confuse others, thanks.

did this occur when you were following this guide or somewhere else ?

to download scripts from windows-noob.com you need to be logged on as a member of windows-noob.com, now you are so try again please.

hi the ConfigureADDS.ps1 script creates the InstallDHCP.ps1 PowerShell script.

ALTARO FREE Webinar + FREE ebook - Save your seat Many people still don’t know the difference between Office 365 and Microsoft 365 and to be honest it’s not immediately clear because the names don’t really give much away. However, for businesses, and those managing IT environments, it’s important to understand the implications of choosing one over the other. Luckily, Altaro are hosting a free webinar presenting the two options, their respective merits, and to ultimately help you figure out which is best for you. As with all Altaro webinars, questions are highly encouraged so if you want to directly address which package suits the specifics of your environment during the session, you can feel free to ask! The webinar will be presented by Microsoft MVP Andy Syrewicze and Microsoft Certified trainer and Consultant Paul Schnackenburg on October 1st and registration is completely free. All webinar attendees will also receive a free 50+ page eBook on Office/Microsoft 365 containing critical user information! To receive the eBook, all you need to do is attend the webinar - Save your seat The webinar will be presented live twice on October 1st so you have two chances to attend. First session: 2pm CEST/8am EDT/5am PDT Second session: 10pm CEST/4pm EDT/1pm PDT. It’s a nice touch from Altaro to present the webinar twice and enable as many people to join live. I will be attending the webinar, so I’ll see you there! - Save your seat!

I've seen upgrades fail when SEP is installed, disabling it was not enough we had to uninstall it, reboot and try again is there anything different about this site versus the other ?

uninstall Symantec, reboot, then try the upgrade again

i see these messages SQL MESSAGE: - Found UpgradeViewMapping exists, previous upgrade may have failed. Try to revert some of the objects related to DVIEW $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:12:33.914-180><thread=4296 (0x10C8)> followed by... INFO: Executing SQL Server command: < declare @t table (ObjectKey nvarchar(512) , ObjectTypeID int) insert into @t (ObjectKey, ObjectTypeID) select distinct ID, TypeID from vRBAC_AllItemsID where TypeID IN (select ObjectTypeID from RBAC_ObjectOperations where OperationName=N'Set Security Scope'); insert into RBAC_CategoryMemberships (CategoryID, ObjectKey, ObjectTypeID) select N'SMS00UNA', ra.ObjectKey, ra.ObjectTypeID from @t ra left join (select distinct ObjectKey, ObjectTypeID from RBAC_CategoryMemberships ) rcm on ra.ObjectKey=rcm.ObjectKey and ra.ObjectTypeID=rcm.ObjectTypeID where rcm.ObjectKey IS NULL; > $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:24:26.852-180><thread=4296 (0x10C8)> ERROR: Failed to execute SQL Server command, SQL Server error <>~ $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:24:26.852-180><thread=4296 (0x10C8)> *** [HY007][0][Microsoft] Associated statement is not prepared $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:24:26.853-180><thread=4296 (0x10C8)> ERROR: Failed to assign default objects to default security scope(FinalSqlOperations). $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:24:26.853-180><thread=4296 (0x10C8)> Failed to update database. $$<CONFIGURATION_MANAGER_UPDATE><09-13-2019 12:24:26.854-180><thread=4296 (0x10C8)> is there any third party antivirus software installed on this server ? are you doing the upgrade as the same user as on the other primary ?

ok sorry about the delay, busy working, from first (quick) looks it looks like your logs are way too small and therefore missing details (such as the info we really need to see to diagnose this_), so you'll need to modify the ccmsetup command line to increase the log file size this will show you how to do that once done, deploy a machine again and capture the new logs, attach them here cheers niall