Using the ConfigMgr AdminService to Retrieve BitLocker Recovery Keys and Triggering Key Rotation

The Key to Success is Knowledge Recently Garth Jones accused me of knowing something that I knew nothing about and I was very offended by that. So much so, that when Bryan Dam came to me demanding to know the keys to BitLocker keys in ConfigMgr, I decided I should figure it out. So I did. Here’s what I know now: Keying in on the Issue When trying to automate processes around ConfigMgr, there are Ways to do things then there are Supported Ways to do things.

CMPivot Reference

The following examples were compiled from the CMPivot Home screen examples and the PowerShell equivalent commands were extracted from the CMPivot PowerShell script that is copied down locally to C:\Windows\CCM\ScriptStore. The goal is the provide a way to understand what each command is actually doing when you run it. Interpreting this Reference Query Type WMI - The command run locally on the client is querying WMI. Any entity not listed here but available in CMPivot uses the same WMI Class that ConfigMgr Client Hardware Inventory uses.

When VDI and ConfigMgr Co-Management Collide

Before we begin, here are some notes about persistent and non-persistent VDI that will likely give you nightmares: Intune doesn’t support non-persistent VDI Azure Active Directory only supports Hybrid Azure AD Join for non-persistent VDI ConfigMgr recommends limiting client functionality on non-persistent VDI but there is no mention about the impact of Co-Management on these devices. Whatever you do, don’t Hybrid Join then Co-Manage your VDI Master Image or you’re in for a bad time!

Using ConfigMgr Run Scripts and Microsoft Quick Assist to Repair a Broken Domain Trust Relationship

Recently one of our sites began having some issues with domain joined devices losing their trust relationship with Active Directory. While some users were able to log in with cached credentials, we had no easy way to get admin credentials to repair the domain trust. I’m going to show how Configmgr Run Scripts and Microsoft Quick Assist helped us get admin access to the devices to perform troubleshooting and remediation. The purpose of this post is to show how we can leverage various tools to solve challenging problems in production.

How to find Settings Preventing Application Deletion in ConfigMgr

Today my co-worker was attempting to delete an old application and got blocked with the following message message and I wanted to document it for future reference. Configuration Manager cannot delete this application because other applications or task sequences reference it or it is configured as a deployment. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Configuration Manager cannot delete this application because other applications or task sequences reference it or it is configured as a deployment.

Autopilot Profile causes Device Rename after ConfigMgr OSD Task Sequence and Breaks AD Domain Trust

We got some new hardware models in this week and added drivers to our ConfigMgr OSD Task Sequence (with Windows 10 1909 serviced with November 2020 updates) to test. One of the devices kept ending up with a broken domain trust relationship when you attempt to log in immediately following build completion. The security database on the server does not have a computer account for this workstation trust relationship

Windows 10 Feature Updates – Testing the /MigNEO Disable Parameter

Over the past few weeks I’ve been testing re-writing my Windows 10 Feature Update repo to make it easier to implement - if you haven’t tried it, go check it out. Just follow the readme in the repo During the re-write I was reminded that there were a few command line parameters that I hadn’t experimented with. One of them is /MigNEO which only has a Disable option. According to the product group, NEO stands for non-event objective which, doesn’t help it make more sense to me.

Analyze SetupDiag errors for Feature Updates in ConfigMgr 2008 Technical Preview

As soon as I read the release notes for ConfigMgr 2008 Technical Preview I knew I would be doing some digging. This release introduced the first iteration of a feature that will hopefully help make Windows 10 Feature Update servicing a little easier to manage. Listed as Analyze SetupDiag errors for feature updates this feature has been added to the Windows 10 Servicing dashboard. When I initially read the release notes and looked at the included graph, I was disappointed.

Troubleshooting ConfigMgr Enhanced HTTP and Azure Directory Group Sync

Today I got to help my buddy Adam Juelich with getting ConfigMgr Azure Directory Group Sync working. It’s an awesome new feature that allows you to sync ConfigMgr collection memberships to your Azure tenant. Adam had followed all of the steps and ensured that prerequisites were all configured properly but sync would never work. Over a Teams meeting we double checked everything and walked through Ronny Dejong’s (He covers pretty much all of troubleshooting steps needed for this!