Following off of HermanB's comment.
We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values. Also, not enabling full disk encryption, just used space.
All of it it working fine, but I was just thinking of having that management done by Config Mgr.
My questions:
-do we need to enable full disk encryption during the OSD for this to work?
-do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?
I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels.
I'm more worried about new machines deployed and the OSD changes needed.