Oracle/MSSQL/MySQL Windows Server

How does Key Rotation work in MBAM?

How does key rotation work in MBAM

Key Rotation in Microsoft BitLocker Administration and Monitoring (MBAM) refers to the process of rotating the encryption keys used to protect BitLocker-encrypted drives. This is a security best practice to minimize the risk associated with long-term exposure to a single encryption key. In this article, we shall discuss How does Key Rotation work in MBAM. Please see how to Fix WDAC vulnerabilities by updating PowerShell, and How to deploy MBAM for Bitlocker Administration.

Key rotation helps enhance the overall security posture of the BitLocker deployment. It does this by limiting the time window during which an attacker could potentially exploit a compromised key. See how to Backup existing and new BitLocker Recovery Keys to Active Directory.

How exactly does the recovery work?

When the recovery is performed via the MBAM Helpdesk portal. The MBAM agent on the client’s computer will force it to rotate (meaning, the keys are rotated). That is, the Recovery Key and Recovery Key ID will be rotated.

Helpdesk BitLocker drive recovery
Helpdesk BitLocker drive recovery

Note: Disclosing the Recovery Key using self-service does not cause the key to rotate.

But when it is pulled from Active Directory. MBAM does not know about this request and the rotation will also not happen. For accountability (audit), BitLocker recovery should not be done over Active Directory. Want to learn how to Disable BitLocker on Windows 10

You will be able to verify this change very quickly by using the following command below. These new values are escrowed to the MBAM database based on the configured policy or to the ConfigMgr (SCCM) database in SQL.

manage-bde -protectors -get C:
manage bde getprotectors BitLocker
manage bde getprotectors BitLocker

Once the key has been disclosed in MBAM DB, it changes from “0” to “1”. Then the MBAM agent on the client’s computer will force it to rotate. You can see the new recovery ID and recovery password on the host below.


Note: I recommend implementing a backup of BitLocker recovery keys to Active Directory. In this way, you will avoid a single point of failure.

Regular audits and monitoring of key recovery activities in MBAM contribute to maintaining a robust and secure BitLocker deployment.

You may be interested in these: How to check if Microsoft BitLocker Administration and Monitoring is installed on Windows, how to Use Logrotate For Managing Log Files In Ubuntu Linux, and MBAM Frequent Report Errors: Understanding Microsoft BitLocker Administration and Monitoring compliance state and error status.

FAQs on Microsoft BitLocker Administration and Monitoring

Why is Key Rotation Important?

Key Rotation is crucial for maintaining the security of BitLocker-encrypted devices over time. It helps mitigate the impact of potential key compromise scenarios, such as insider threats or exposure to unauthorized access. By changing keys at regular intervals, organizations can reduce the risk associated with static encryption keys and enhance the overall resilience of their data protection strategy.

How Does Key Rotation Work in MBAM?

Key Rotation involves generating a new set of cryptographic keys for each BitLocker-protected drive and updating the corresponding recovery information stored in the MBAM database. MBAM provides an automated process for key rotation. Ensuring that the encryption keys are rotated when retrieved by the helpdesk without requiring manual intervention. The rotation process includes the generation of new BitLocker recovery keys and the storage of these keys in the MBAM Database for future retrieval.

You may want to see how MBAM Key Rotation works in MBAM integrated with SCCM, and What happens when WDS and DNS are installed on the same Windows Server? DNS issues with WDS.

I hope you found this article on how Key Rotation works in MBAM useful. Please let me know in the comment section if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x