question

wWW-7537 avatar image
0 Votes"
wWW-7537 asked Amandayou-MSFT edited

Adding to a device collection - OSD Task Sequence

I am deploying Bitlocker management with Endpoint Configuration Manager build 2010. The task sequence works great for setting up bitlocker. I created a step in the task sequence just before the finish of the OSD Results and Branding that adds the system to the collection. I can see in the log files as well as the management console that it is adding the device to the collection. The device us then removed from the collection either after the task sequence finishes or when a user logs into the machine.

The issue I am having is I want to add new computers to the collection that has the bitlocker managment policy applied to it. Dynamic collections don't work as they require the collection to be updated each time a new computer is imaged and created ( For example a Windows 10 collection).

Is there a way to get new computers to apply/added to a bitlocker policy collection so that my techs don't have to manually add them (or use a PS script) once the computer is imaged?

mem-cm-osd
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @wWW-7537,

We could add the command line of reg add to mark the computer has not been applied by the Bitlocker management policy, please refer to the following picture:

87332-413.png

About the reg add, please refer to this article:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-add

And then we could use query rule to check which these computer are compliant.

87300-4131.png

Finally, please run the reg delete to clear a subkey or entries from the registry, about the reg delete , please refer to this article:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-delete



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



413.png (27.3 KiB)
4131.png (15.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

wWW-7537 avatar image
0 Votes"
wWW-7537 answered Amandayou-MSFT edited

The issue we are having is not adding it to the collection. I have a powershell script that just before the end of the OSD task sequence it adds the new device to the correct collection. I can see it added to the collection.

The issue is that after the task sequence is finished, the device is removed from the collection.

The bitlocker collection has a limiting collection requirement of all systems so that shouldn't be the issue. Once the computer is done. I can manually add it to the collection again either through a powershell script or through the console. I'm trying to eliminate the need to manually have to add new devices to the collection.

Making them part of a dynamic collection that receives the policy is not an option as we are required to certify that systems leaving the IT department are fully encrypted for HIPPA compliance.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thank you very much for the confirmation. Based on my personal experience, the operation (to add a device to an existing collection) can only be performed at server site. To avoid any misunderstanding, could you help to share the scripts? In addition, here's an article using PS-Remoting to perform the task. Are you using the same approach to achieve the goal?
Add a Device to a Collection during a Task Sequence
Note: This is non-official Microsoft article just for your reference.


0 Votes 0 ·