question

jaybird283-2674 avatar image
0 Votes"
jaybird283-2674 asked VenturaAce-6090 answered

Backup Bitlocker Recovery Key during OSD Task Sequence

I have been trying to get an OSD task sequence setup for imaging PC's, enable bitlocker, and backup recovery key to Config Manager, i followed the instructions to run Invoke-MbamClientDeployment.ps1 to do this. but it seems to fail a lot. i tried disabling auto root certificate updates and that helped a little bit but that script still seems unreliable. is there a newer way of backing up the recovery info? maybe something built into newer versions of MEMCM? seems like an out dated process and something that should be integrated.

mem-cm-osd
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

frankrojas avatar image
0 Votes"
frankrojas answered KhalilAhmed-3973 commented

DO NOT use the Invoke-MbamClientDeployment.ps1 script with ConfigMgr BitLocker Management. This script is not supported for use with either versions of ConfigMgr newer than 1902 or with ConfigMgr BitLocker Management. Using this script with ConfigMgr 2103 or newer will in fact cause major issues. Regarding enabling BitLocker during a task sequence, simply use the out of box Pre-provision BitLocker and Enable BitLocker tasks. Regarding escrowing keys during the task sequence, this feature is not currently available in the product, but it also is not really needed. For versions of ConfigMgr prior to 2103 that have BitLocker Management, the key will escrow after the task sequence is done, the client registers, and a user logs in locally, assuming a BitLocker Management policy is deployed to the device. For ConfigMgr 2103 or newer the key will escrow after the task sequence is done and the client registers, again assuming a BitLocker Management policy is deployed to the device. A user does not have to log into the device for the key to escrow in ConfigMgr 2103 or newer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered

Hi @jaybird283-2674,

Thank you for posting in Microsoft Q&A forum.

You have done some steps for troubleshooting and have excluded some possibilities for our next work.
For further reference, could you share the smsts.log with the sensitive information to review? Maybe we can find the problem that caused the script to fail.

And I found an article that describes the task sequence deployment of MBAM client in detail, we may use this as a reference:
https://msendpointmgr.com/2020/04/02/goodbye-mbam-bitlocker-management-in-configuration-manager-part-3/
Note: This is not from MS, just for your reference.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jaybird283-2674 avatar image
0 Votes"
jaybird283-2674 answered

Thanks for your response. I actually followed that link you shared when I set up my task sequence. Here is the relevant section of the SMSTS.log.

104907-image.png



image.png (175.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jaybird283-2674 avatar image
0 Votes"
jaybird283-2674 answered

@frankrojas this is great info. Thanks for sharing. Do you have any suggestions on applying a bitlocker policy to ONLY new machines (as soon as they come up)?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

frankrojas avatar image
0 Votes"
frankrojas answered

Why would you only want to do new machines?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VenturaAce-6090 avatar image
0 Votes"
VenturaAce-6090 answered

Can we still use this if we are using MDT to deploy images? Example my ts in mdt standalone deploys windows 10, joins domain, installs apps, installs sccm client and runs the bitlocker invoke script

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.