This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 94%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I have been trying to get an OSD task sequence setup for imaging PC's, enable bitlocker, and backup recovery key to Config Manager, i followed the instructions to run Invoke-MbamClientDeployment.ps1 to do this. but it seems to fail a lot. i tried disabling auto root certificate updates and that helped a little bit but that script still seems unreliable. is there a newer way of backing up the recovery info? maybe something built into newer versions of MEMCM? seems like an out dated process and something that should be integrated.
DO NOT use the Invoke-MbamClientDeployment.ps1 script with ConfigMgr BitLocker Management. This script is not supported for use with either versions of ConfigMgr newer than 1902 or with ConfigMgr BitLocker Management. Using this script with ConfigMgr 2103 or newer will in fact cause major issues. Regarding enabling BitLocker during a task sequence, simply use the out of box Pre-provision BitLocker and Enable BitLocker tasks. Regarding escrowing keys during the task sequence, this feature is not currently available in the product, but it also is not really needed. For versions of ConfigMgr prior to 2103 that have BitLocker Management, the key will escrow after the task sequence is done, the client registers, and a user logs in locally, assuming a BitLocker Management policy is deployed to the device. For ConfigMgr 2103 or newer the key will escrow after the task sequence is done and the client registers, again assuming a BitLocker Management policy is deployed to the device. A user does not have to log into the device for the key to escrow in ConfigMgr 2103 or newer.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hi @jaybird283 ,
Thank you for posting in Microsoft Q&A forum.
You have done some steps for troubleshooting and have excluded some possibilities for our next work.
For further reference, could you share the smsts.log with the sensitive information to review? Maybe we can find the problem that caused the script to fail.
And I found an article that describes the task sequence deployment of MBAM client in detail, we may use this as a reference:
https://msendpointmgr.com/2020/04/02/goodbye-mbam-bitlocker-management-in-configuration-manager-part-3/
Note: This is not from MS, just for your reference.
If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your response. I actually followed that link you shared when I set up my task sequence. Here is the relevant section of the SMSTS.log.
@Frank Rojas this is great info. Thanks for sharing. Do you have any suggestions on applying a bitlocker policy to ONLY new machines (as soon as they come up)?
Why would you only want to do new machines?