This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In Task Sequence, if using MBAM, there are 2 different options how to encrypt the drive with Bitlocker.
I've been testing both of them, and here are pros and cons
Enable Bitlocker Step
Using Invoke Powershell scrip
The whole point of thesting and posting is, that I would be happy to use only CM and Invoke Powershell, but I need a back up solution for recovery keys.
If you're concerned about your CM Site going down and being unable to access your BitLocker Keys, You might consider doing High Availability (HA) CM with SQL Always on.
More details are provided here: https://learn.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/high-availability-options
Yes, but it is too tricky. In computer enviroment, the very first thing needed to be High-Available are the Recovery Keys (like AD). Also we need recovery keys to be available during longer maintenance or breakdown of CM.
Thanks for your input. This is just my opinion.
Hi,
Thanks for posting in Microsoft MECM Q&A forum.
We can download the Invoke-MbamClientDeployment.ps1 script from Microsoft.com Download Center to have a try. This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
Refer to the official article for more details:
How to Enable BitLocker by Using MBAM as Part of a Windows Deployment
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Sure go ahead and test, but I can promise you, that this script existing will not save the key to AD.
Hi,
Thanks for your reply. I will do more research, if there is any update, I will let you know. Thanks for your understanding.
Best regards,
Simon