Q: Can I store the BitLocker recovery key in Active Directory, if I'm using Microsoft BitLocker Administration and Monitoring for BitLocker management?

A: MBAM stores the recovery key in its SQL Server database instead of Active Directory (AD).

Out of the box, you can use Group Policy to configure BitLocker clients to store the BitLocker recovery key under the computer’s account in Active Directory (AD).

However, although it’s possible to store the recovery key in AD and in the MBAM SQL Server database store, the recovery keys wouldn’t stay synchronized once the recovery key was used. This is because after the recovery key is used, MBAM creates a new one, and the new one wouldn’t be replicated to AD.

You can store the recovery key in AD and MBAM, but the key stored in AD will eventually become invalidated, unless it’s manually updated.

To read more FAQs, go to John Savill's Windows IT Pro FAQs page

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.