Bitlocker AD does not store recovery after PIN change

Hi all,

Bitlocker is controlled by domain policies. First time Bitlocker is enabled on a computer, the recovery is saved to AD DS. I confirmed this in Computers object in AD DS.

However, when the user changes the PIN, there is no record of the new recovery key. Is that normal?

When I then manually force the recovery to AD by using manage-bde -protectors -adbackup C: -id { recoveryGUID }, a new entry appears in the computer object in the AD. Although that seems correct, when I tested it, this new recovery key is not valid. Bitlocker on startup refers to the initial recoveryID instead of the new one created after the PIN change.

Is is correct that a PIN change does not result in a new recovery key? If not, which policies should I adjust in order to fix this.

Hope my post is sufficiently clear. Many thanks in advance.

Info:Server is 2012 R2. Client Win8.1 Pro

  • Edited by martijn0123 Wednesday, August 05, 2015 9:31 PM update info
August 5th, 2015 9:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics