If you're concerned about your CM Site going down and being unable to access your BitLocker Keys, You might consider doing High Availability (HA) CM with SQL Always on.
More details are provided here: https://learn.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/high-availability-options
Bitlocker / MBAM considerations in OSD
In Task Sequence, if using MBAM, there are 2 different options how to encrypt the drive with Bitlocker.
- Using Enable Bitlocker step
- Using Invoke Powershell script
I've been testing both of them, and here are pros and cons
Enable Bitlocker Step
- Recovery Key goes also to AD
- Recovery Key will not get refreshed in AD after recovery (I do use GPO which enables this but the key was not re-generated)
- Installing MBAM client, applying the policy and escrowing the key takes time after Task Sequence is complete
Using Invoke Powershell scrip
- Everything happends fast and works fine
- Recover key does not go to AD
- There is no back up solution (AD) if the CM site dies.
The whole point of thesting and posting is, that I would be happy to use only CM and Invoke Powershell, but I need a back up solution for recovery keys.
2 answers
Sort by: Most helpful
-
Gary Blok 1,736 Reputation points
2020-11-12T02:07:32.3+00:00 -
Simon Ren-MSFT 34,321 Reputation points Microsoft Vendor
2020-11-12T02:46:28.983+00:00 Hi,
Thanks for posting in Microsoft MECM Q&A forum.
We can download the Invoke-MbamClientDeployment.ps1 script from Microsoft.com Download Center to have a try. This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
Refer to the official article for more details:
How to Enable BitLocker by Using MBAM as Part of a Windows DeploymentBest regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.