We've just deployed MBAM to help manage BitLocker. Up to now, we've saved our recovery keys in our Active Directory. We like MBAM because of what it will offer our Help Desk although that means getting those recovery keys into MBAM. The suggestion Group Policy, for MBAM, is to not configure recovery information to get saved into AD. What should my strategy be to getting the recovery keys into MBAM and out of AD?Orange County District Attorney

Please check if the following article would be helpful to you: How to backup recovery information in AD after BitLocker is turned ON in Windows 7 http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspxThanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Zero, Thanks for the response to my question. The link is very good, although not for question here - I was actually looking for this information for another issue. Thanks for being so informative before I asked that question. My original question here was that we already save recovery information to AD. When we deploy systems, we encrypt them during the deployment and the recovery information is saved to AD. Works like a charm. Now we've discovered and installed MBAM and are pondering how to move towards the MBAM model of saving recovery information to MBAM. Should we just save the recovery information to AD and re-generate the recovery password to MBAM? Will MBAM automagically obtain a copy of the recovery keys we currently have? As you can see, we've got alot of questions as we work on moving towards MBAM as our BitLocker management solution.Orange County District Attorney

You just need to install MBAM agent on win7 client machine and MBAM agent will automatically escrow the keys to MBAM Recovery & Hardware DB in SQL. This is true for volumes which are already encrypted with bitlocker. For volumes which are not encrypted, MBAM agent will prompt the user to start the encryption. Note: After you install MBAM on serManoj Sehgal

You just need to install MBAM agent on win7 client machine and MBAM agent will automatically escrow the keys to MBAM Recovery & Hardware DB in SQL. This is true for volumes which are already encrypted with bitlocker. For volumes which are not encrypted, MBAM agent will prompt the user to start the encryption. Note: After you install MBAM on server, make sure MBAM GPOs are configured correctly, so that MBAM agent can talk to MBAM server. Documents to help you: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx I hope this helps. Manoj Sehgal

Thanks for the answer to my post Manoj. Is there any way to 'see' the keys in MBAM? In AD you could see the recovery keys whereas in MBAM they don't seem to be visible in any of the reports. Also, we'd like to enable BitLocker, with TPM-only managment, on some systems with the MBAM agent, manually from the system. Can we use bde-manage somehow to do this? We're not ready to roll out the Group Policy that forces everyone to encrypt at this time.Orange County District Attorney

http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx You can use manage-bde command to turn on bitlocker on selected machines. If you want to control the computers on which you can enable encryption, you have 2 options. 1. All machines where encryption is required should be in one OU and then you apply MBAM policies. 2. Use Allow hardware checking GPO from client management policies under MBAM. When MBAM agent talk to MBAM server, then machine will be listed under MBAM Hardware tab in MBAM console. First time machine is listed as unknown. If you want to encryption make only those machine as compatible and MBAM will prompt encryption on only those machines. I hope this helps.Manoj Sehgal

Thanks Manoj for the link and the options to encrypt. You've answered my questions!Orange County District Attorney