Yes, this can definitely be done, I've had our environment working this way for years. There is a GPO you can set to require bitlocker keys be backed up to AD. If that is set, bitlocker won't encrypt the drive if it can't save the key to AD.
It was a little bit complicated when I set it up originally, but that was 6 or 7 years ago. The process may be simpler now. There was definitely a well documented process on technet back then for enabling the key backup. Steve On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <[email protected]> wrote: > Anyone have a clue on how to do this - without setting up MBAM? > > AFAICT, there isn't a way to do this, but I'm throwing it out here to > see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance > and all that when all I want to do is provision new machines with > Bitlocker and get the key set up in AD in one go, and not hassle with > writing the key to a file, then running another (logon) script to get > the key imported into AD. > > Kurt > > >
