Planning for Single Use Recovery Keys
Applies To: Microsoft BitLocker Administration and Monitoring
With the Microsoft BitLocker Administration and Monitoring (MBAM) Recovery Password feature, you can unlock a BitLocker-encrypted device without the main protector type, for example, a Trusted Platform Module (TPM) and a PIN, or only a PIN. As useful as this is, the limitation of this feature is that the user can reuse the computer without any control from the MBAM administrators. If a user gets the recovery password and saves it or leaves a copy on their desk, a malicious user can reuse the recovery password on the computer to bypass the BitLocker protection.
The Single Use Recovery Key feature of MBAM works to mitigate this risk in the following ways:
When a BitLocker-protected drive enters recovery mode, the user requires a recovery key to unlock the drive. Normally, this recovery key could be used again to unlock the drive. To prevent this, configure Microsoft BitLocker Administration and Monitoring to use single-use recovery keys that expire upon use.
The single use of a recovery password is automatically applied to operating system drives and fixed drives. For a removable drives, it is applied when the drive is removed, and then re-inserted and unlocked on a computer that has group policy settings activated to manage removable drives.