Q: Does the new Microsoft BitLocker Administration and Management tool require changes to Active Directory?

A: The Microsoft BitLocker Administration and Management (MBAM) tool is a new addition to the Microsoft Desktop Optimization Pack (MDOP), which is an enterprise solution for the management and reporting of BitLocker Drive Encryption within an organization.

MBAM itself doesn’t require any schema changes to Active Directory (AD), nor does it actually store information in AD. MBAM recovery keys and other BitLocker data are stored in a SQL Server database instead of as objects in AD.

Machines and users should still be part of an AD domain as MBAM uses Group Policy Objects for the client management of MBAM on BitLocker-enabled machines. See the article at the Microsoft website,  which includes hiding the default BitLocker control panel applet from end users.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.