Despite documentation that seem to indicate that Bootstrap Tokens are automatically escrowed when using ADE, it still requires an admin to log in for the first time for this to happen. In order to force it, we are using scripts during Enrollment to create and activate a Secure Token for the Managed Local Admin account created during PreStage with a known password. Once it is created, the Bootstrap Token is escrowed by another script also during Enrollment. For both scripts, we pass the known password for the admin account as a parameter.
So we've now achieved our requirement to have computer labs' Bootstrap Tokens escrowed during Enrollment without an admin having to physically go to each lab PC and logging in.
However, we're concerned about the Managed Local Admin account having a fixed password. If we enable LAPS on the Managed Local Admin account, will there be any potential issues? The way we see it, the known password will just be used twice during Enrollment when the Secure Token is generated and the Bootstrap Token is escrowed. However, we're worried that we cannot make sure that LAPS will not change the password until after the 2 scripts have run.
Have anyone else done this or something similar?
