Backup Bitlocker Recovery Key during OSD Task Sequence

Question

I have been trying to get an OSD task sequence setup for imaging PC's, enable bitlocker, and backup recovery key to Config Manager, i followed the instructions to run Invoke-MbamClientDeployment.ps1 to do this. but it seems to fail a lot. i tried disabling auto root certificate updates and that helped a little bit but that script still seems unreliable. is there a newer way of backing up the recovery info? maybe something built into newer versions of MEMCM? seems like an out dated process and something that should be integrated.

Answer 1

DO NOT use the Invoke-MbamClientDeployment.ps1 script with ConfigMgr BitLocker Management. This script is not supported for use with either versions of ConfigMgr newer than 1902 or with ConfigMgr BitLocker Management. Using this script with ConfigMgr 2103 or newer will in fact cause major issues. Regarding enabling BitLocker during a task sequence, simply use the out of box Pre-provision BitLocker and Enable BitLocker tasks. Regarding escrowing keys during the task sequence, this feature is not currently available in the product, but it also is not really needed. For versions of ConfigMgr prior to 2103 that have BitLocker Management, the key will escrow after the task sequence is done, the client registers, and a user logs in locally, assuming a BitLocker Management policy is deployed to the device. For ConfigMgr 2103 or newer the key will escrow after the task sequence is done and the client registers, again assuming a BitLocker Management policy is deployed to the device. A user does not have to log into the device for the key to escrow in ConfigMgr 2103 or newer.

Answer 2

Can we still use this if we are using MDT to deploy images? Example my ts in mdt standalone deploys windows 10, joins domain, installs apps, installs sccm client and runs the bitlocker invoke script