BitLocker Killer Mistakes


You have BitLocker deployment where you backup your BitLocker recovery key to Active Directory.

The wrong thing

When you format a computer, you go to AD, delete the computer account, and create a new one, then you join the formatted machine to domain! Killer mistake indeed!!!

The right thing

When you format a computer, you go to AD, (RESET THE COMPUTER ACCOUNT) , and then join the formatted machine to machine!

What can go wrong if I delete computer account

When you enable BitLocker on a computer drive, the machine will write BitLocker Recovery information on the computer account in AD. So if you delete a computer account, you will delete all BitLocker recovery information. Instead resetting computer account will not.

Common Mistake Scenario

A computer with C and D drive with BitLocker enabled on both of them. You backed up everything in the C drive and since the C drive is big enough, you decided to keep the D and only format the C drive.

You start installing Windows 8 for example on the C drive, you deleted the computer account from AD, and then you created a new one. Then you join the machine to domain, and enable BitLocker on the C drive.

Now you noticed the D drive is encrypted. You went to AD to find a recovery information for that drive. BOOOOM!!! no recovery information since you deleted the computer account and created a new one. Good luck with that.

Remember to always reset computer accounts instead of the old habit of deleting them