- Overview
- Realm setup
- Active Directory & SCCM setup.
- Active directory - Security group
- Active directory - Broker account
- SCCM - Deployment collection
- SCCM - Administrative category for applications
- SCCM - Administrative category for office
- SCCM - Limiting collection for collections
- AD - Parent AD group for AD group list
- AD - Staging OU
- SCCM - Configuration directory
- SCCM - WinPE boot image setup
- Configuration tool & File
- Realm secret key
- Allowed WinPE instances
- Network access account
- Notification account
- Hostname formatting
- Automatically identify hostname
- Overrides
- Active directory staging OU
- MBAM Server details
- SMTP server details
- Notification types
- User state migration (USMT)
- Logs and Profiles location
- Disk setup
- Content availability check
- Error adding collection member
- Error adding AD group member
- Wait for Bitlocker decryption
- Approved hardware
- Extension Attributes
- Using sccmtspsi (Operator view)
- Task sequence steps
- Task sequence error codes
- sccmtspsi error codes
3.2.Active directory - Broker account
There should be one Active directory broker account per Realm. As the name suggests, this account acts as an intermediary or a broker between the SCCMTSPSI user interface and the backend infrastructure. Create the below Active Directory account.
sccmtspsi-broker-XXX [Where XXX is the Realm name]
Add the broker account as a member of the below security group.
sccmtspsi-users-XXX [Where XXX is the Realm name]
This Active Directory account should have the following privileges : [This will be the security context for the Realm]
- Permission to add/remove computer object and corresponding leaf objects in ADDS. We recommend narrowing the permission scope to specific areas within ADDS.
- Permission to remove computer objects from SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Deny permission to Server collections, Allow access to non-server collections.
- Permission to stage computer objects into SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Just “All Systems” [or one derived from that] and the Realm deployment collection “sccmtspsi-deployments-r01” [r01 is the name of the Realm].
- Read access to the “patch“, “token” and “usmt” folders within the configuration directory (discussed later in this page).
- Read/Write access to the logging location set in the configuration file (discussed later in this page).
- ‘Advanced helpdesk’ or ‘Administrator’ level access to Microsoft Bitlocker Administration and Monitoring services (discussed later in this page).