Q: Can I store the BitLocker recovery key in Active Directory, if I'm using Microsoft BitLocker Administration and Monitoring for BitLocker management?

You can store the encryption recovery key in Active Directory, but you probably won't want to after you read this.

John Savill

September 27, 2011

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A: MBAM stores the recovery key in its SQL Server database instead of Active Directory (AD).

Out of the box, you can use Group Policy to configure BitLocker clients to store the BitLocker recovery key under the computer’s account in Active Directory (AD).

However, although it’s possible to store the recovery key in AD and in the MBAM SQL Server database store, the recovery keys wouldn’t stay synchronized once the recovery key was used. This is because after the recovery key is used, MBAM creates a new one, and the new one wouldn’t be replicated to AD.

You can store the recovery key in AD and MBAM, but the key stored in AD will eventually become invalidated, unless it’s manually updated.



To read more FAQs, go to John Savill's Windows IT Pro FAQs page

Read more about:

Microsoft

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like