Bitlocker Recovery with PXE

I discovered an issue with Bitlocker and PXE. I use ConfigMgr required deployments to start ZeroTouch OSD. To allow zero touch here we configured PXE to be the first in the boot order. So adding a computer to the OSD collection (or reverting the PXE boot flag) will start the deployment. During the deployment Windows Setup puts Windows Boot Manager as first UEFI boot device, and the TS enabled Bitlocker with TPM protection. At the end of the TS we configure PXE to be the first boot device again. Now comes the issue… as soon Bitlocker tries to unlock then it runs into recovery. I figured out, that this only happens, if a required deployment did already run and now the PXE flag prevents it from PXE booting (PXEAbort). So in SMSPXE.log we can see it send abortpxe.com to the client. If I assign a second, available deployment, PXE waits for "ENTER" to boot. If I do not press ENTER it just boots up fine without Bitlocker Recovery. If I remove the deployment from the client it also boots fine.

So I suppose, that abortpxe.com is somehow "untrusted" by the Bitlocker boot process.

The workaround to have an optional deployment in parallel is good, as long nobody presses ENTER, because if this was done it will boot into WinPE and run the other mandatory deployment then (and delete the client accidently).