1. Overview
  2. Realm setup
  3. Active Directory & SCCM setup.
    1. Active directory - Security group
    2. Active directory - Broker account
    3. SCCM - Deployment collection
    4. SCCM - Administrative category for applications
    5. SCCM - Administrative category for office
    6. SCCM - Limiting collection for collections
    7. AD - Parent AD group for AD group list
    8. AD - Staging OU
    9. SCCM - Configuration directory
    10. SCCM - WinPE boot image setup
  4. Configuration tool & File
    1. Realm secret key
    2. Allowed WinPE instances
    3. Network access account
    4. Notification account
    5. Hostname formatting
    6. Automatically identify hostname
    7. Overrides
    8. Active directory staging OU
    9. MBAM Server details
    10. SMTP server details
    11. Notification types
    12. User state migration (USMT)
      1. Data store encryption
      2. Migration types
      3. Free space
      4. Config XML
      5. Migration rules XML
      6. Ignore return error codes
      7. Migrating EFS files
      8. Move domain
      9. Move user
      10. Currupt user profiles
    13. Logs and Profiles location
    14. Disk setup
    15. Content availability check
    16. Error adding collection member
    17. Error adding AD group member
    18. Wait for Bitlocker decryption
    19. Approved hardware
    20. Extension Attributes
  5. Using sccmtspsi (Operator view)
    1. sccmtspsi login window content
    2. sccmtspsi controls
      1. Asset hostname
      2. Unlock bitlocker
      3. Get task sequence deployments
      4. Get operating system images and packages
      5. Get office application
      6. Get SCCM applications
      7. Get SCCM collections
      8. Get AD Groups
      9. sccmtspsi actions
      10. Data migration options
      11. Primary users
      12. AD / SCCM entry
      13. Extension Attributes
  6. Task sequence steps
    1. sccmtspsi-tasksequence.exe
    2. Task sequence variables
    3. Apply operating system image step
  7. Requesting a Ad free license (Optional)
  8. Task sequence error codes
  9. sccmtspsi error codes

3.2.Active directory - Broker account

There should be one Active directory broker account per Realm. As the name suggests, this account acts as an intermediary or a broker between the SCCMTSPSI user interface and the backend infrastructure. Create the below Active Directory account.

sccmtspsi-broker-XXX  [Where XXX is the Realm name]

Add the broker account as a member of the below security group.

sccmtspsi-users-XXX [Where XXX is the Realm name]

This Active Directory account should have the following privileges : [This will be the security context for the Realm]

  • Permission to add/remove computer object and corresponding leaf objects in ADDS. We recommend narrowing the permission scope to specific areas within ADDS.
  • Permission to remove computer objects from SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Deny permission to Server collections, Allow access to non-server collections.
  • Permission to stage computer objects into SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Just “All Systems” [or one derived from that] and the Realm deployment collection “sccmtspsi-deployments-r01” [r01 is the name of the Realm].
  • Read access to the “patch“, “token” and “usmt” folders within the configuration directory (discussed later in this page).
  • Read/Write access to the logging location set in the configuration file (discussed later in this page).
  • ‘Advanced helpdesk’ or ‘Administrator’ level  access to Microsoft Bitlocker Administration and Monitoring services (discussed later in this page).



Suggest Edit