Hi, i have questions regarding Bitlocker and MBAM ( BitLocker Administration and Monitoring): In the online documentation (http://onlinehelp.microsoft.com/de-de/mdop/hh301925.aspx) and other Microsoft sites (e.g http://blogs.technet.com/b/mdop/archive/2011/08/01/mdop-2011-r2-generally-available-get-mbam-and-dart-7-0-today.aspx & http://windowsteamblog.com/windows/b/springboard/archive/2011/07/01/simplify-bitlocker-support-with-mbam.aspx) there is a feature described, that MBAM allows the use of single-use recovery keys. This single-use revcovery keys can only be used for one recovery process and then a new key should be generated. Is there anyone who has implemented MBAM yet and uses this feature? Or is there any document, tutorial or something else which describes how to use single-use recovery keys? Thank you and best regards David

David, Single use recovery feature for MBAM is designed so that once the user gets the recovery key from MBAM Recovery Console, MBAM agent will change the recovery key id and recovery password upon next client wake up frequency. MBAM Technical Documents: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspxManoj Sehgal

Does Active Directory get updated with the key when this happens?Regards, Vik Singh

not unless bitlocker is used across the enterprise http://technet.microsoft.com/en-us/library/cc766015%28WS.10%29.aspx when in doubt, read the manuals Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint etc. Hardcore Games, Legendary is the only Way to Play Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews

Does Active Directory get updated with the key when this happens? Regards, Vik Singh Hi Vik, the GPO recommend not to use this: When using 'BitLocker Management Solution', the "Save BitLocker recovery information to AD DS for operating system drive" option should be unchecked EDIT: If you check this option despite the recommendation recovery key in ad gets also updated when the MBAM database gets updated.

David, Single use recovery feature for MBAM is designed so that once the user gets the recovery key from MBAM Recovery Console, MBAM agent will change the recovery key id and recovery password upon next client wake up frequency. MBAM Technical Documents: Manoj Sehgal Hi Manoj, on my first tests exactly this did not happen. I could use the recovery key stored in database several times. I'll be test this again with a new client. Thanks for your answer

David, Single use recovery feature for MBAM is designed so that once the user gets the recovery key from MBAM Recovery Console, MBAM agent will change the recovery key id and recovery password upon next client wake up frequency. MBAM Technical Documents: Hi Manoj, it is how you described it. MBAM Agent automatically changes the recovery key after the key is read out via MBAM Recovery console. It is important to use the MBAM Recovery console and not read out the keys from the database only! That was my mistake during the first test.

My problem with not putting the keys in AD is that the MBAM client does not seem to put the key into the database until the drive is fully encrypted. That would leave a small window of having a users data be unrecoverable if there was a problem with the harddrive prior to the initial encryption finishing.

if you are encrypting your disk with MBAM, we will put the key immediately as we start the encryption process MBAM does not wait for encryption to be completed on a volume which can take couple of hours. If your volume is already encrypted with bitlocker then if you have MBAM agent installed now, the agent will push the keys to SQL DB during the client wakeupfrequency which is 90 minutes.Manoj Sehgal

if you are encrypting your disk with MBAM, we will put the key immediately as we start the encryption process Not seeing this behaviour. I've checked the database tables itself and the key in there doesn't change until after the encryption finishes (validated with the timestamp)

After encyption you would not not see the keys right away. There is a job which runs every 6 or 12 hours on the DB which can be forced as well. Once the job runs, you will see that info in the DBRegards, Vik Singh

First, your URL's are useless...They are pointing to MS's OWA login. Second, your input is useless because these are the same URL's that are all over the internet and do not offer any specific help at all. David referenced the MDOP docs he has been going through and he is still asking a question so obviously he is familiar with your links. Why do people feel it's necessary to try and get answer points by posting obvious URL's. I have been through all these help docs myself and have search for the term "single" both within all the pages and in the search field...Nothing other than the mention of server topology and the mention of "planning for Single User" but nothing referencing how to configure it, which policies configure this, etc. A little actual help would be appreciated. Additionally - Added later, If you know the answer that is posted on http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/d35cc14c-5a23-4efc-ab57-cb0a492dfb4a then why not just state that rather than posting useless links. Apparently it's all automatic but I have yet to see this work correctly. I will continue to do some tests to confirm.