Hi I've read about single use recovery keys in the MBAM Administration guide but I can't find the GPO to configure it. What is the name of GPO to configure it? Thanks!

Hi, Based on my research, please refer to the similar thread. Bitlocker - Single Use Recovery Keys (MBAM) http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9a4ee2ee-8df9-4294-9295-09b6be01f3eb Hope this helps. Jeremy Wu TechNet Community Support

I've seen this thread already. The documentation states: "See Planning and Configuring Group Policy for MBAM for steps on how to configure single-use recovery keys." however the chapter does not show any group policy to configure single-use recovery keys. Also in my installation I can't find the group policy.

There is no GPO for Configuration of single-use recovery key in MBAM. We will get documentation corrected. In Single-use recovery, when MBAM Helpdesk engineer, exposes the BitLocker recovery key to a user, MBAM will change the recovery key id and recovery password automatically for the volume, when MBAM client talks to MBAM server next time. By default, this is 90 mins, as per client wakeup frequency. We do not have GPO to configure single use recovery key. It is written in MBAM code. I hope this helps.Manoj Sehgal

Very helpful. Thanks. Glad to finally see a useful post on this after all the extremely vague posts. I ran through a series of test scenarios and was able to confirm that YES even without special configuration the MBAM single-use codes are working successfully. ______________________________-- My very informally documented test results in case anybody else is curious: 11:48 using code: E2E0462F gave the response: 623106-401478-067540-330506-642642-352374-673057-635745 and used at 11:51 to unlock then eject. 11:55 2^nd request after first eject created new request code: 82EBA9C4 gave the response: 063492-615120-041228-007128-007590-215754-579007-551672. Did not use but just ejected the drive and re-inserted. 11:57 Verified that without use and without eject the request ID is the same as before. 11:58 second request using 82EBA9C4 provided code: 063492-615120-041228-007128-007590-215754-579007-551672 11:59 Ejecting the drive and still uses the same ID 82EBA9C4 provides: 063492-615120-041228-007128-007590-215754-579007-551672 then used the code to trigger a new code being generated. 12:05 Verified that after ejecting it provided a different key: B4AED9B0 Test concluded for USB single use. Results confirmed: Recovery Code request followed by ejection is what triggers the code to change whether recovery code used to access or not. OS drive Same testrequest the code but dont use it then request it again 90 minutes later to verify its different. 11:47 recovery code before a request: (I used MANAGE-BDE to obtain the ID and Recovery Code) 381909-702779-512204-143066-186373-351725-224708-228734 ID: D3BA1648 11:48 Code provided by recovery console: 381909-702779-512204-143066-186373-351725-224708-228734 using request ID: D3BA1648 matches what I expected to get back 12:14 using command: manage-bde protectors get C: I determined the ID changed to 490B0723 and the current recovery code is: 382635-282326-632709-577709-456324-251911-154011-019800. 12:18 using the ID: 490B0723 resulted in recovery code: 382635-282326-632709-577709-456324-251911-154011-019800 which is different than the first one. Now waiting to determine how long until a new code is created since the first round may have fallen near the end of the 90 minute cycle (assuming the 90 minute cycle is accurate) (THIS POST SENT BEFORE WAITING ) Results confirmed: Recovery code changes in MBAM console even if it was not used to unlock a drive. This appears to be strictly a timing thing between requests.

Hi, Thanks for the sharing, it can benefit others a lot. Best Regards. Jeremy Wu TechNet Community Support