BitLocker Client Scenarios

What are the different client scenarios with BitLocker?

There are 3 main scenarios that client computers can have with regards to BitLocker and where the recovery key is store:

1. Unmanaged, not on the domain. The key is stored locally, either in a text file, save directly to a USB flash drive, a printed file, or Microsoft account (cloud).
2. Managed, on the domain. The computer is joined to the domain but does not have the MBAM (Microsoft BitLocker Administration and Monitoring) client installed. The key may be stored in AD if encryption was enabled AFTER JOINING the computer to the domain. If encryption was enabled BEFORE JOINING the computer to the domain, the key is not stored in AD unless the key was manually uploaded to AD. This is a less common scenario.
3. Managed, on the domain. The computer is joined to the domain and does have the MBAM client installed. The recovery key is stored in AD and MBAM. This is the mostly likely scenario if the computer was encrypted via SCCM or Lite Touch imaging.

How to tell which state the client computer is in?

Domain with MBAM

Check to see if the MBAM client is installed. Go to Uninstall Programs and check to see if there is an entry for MDOP MBAM. Or check to see if the path C:\Program Files\Microsoft\MDOP MBAM exists. If yes, then the key can be recovered via the self-service portal or by the Service Desk.

Domain Only

Check to see if the computer is on the domain. Right-click on Computer and select Properties. Verify the domain field reads "WIN.MIT.EDU". Since the MBAM client is not installed, you must contact network-win@mit.edu to have them retrieve the key from AD (assuming it has been automatically or manually uploaded).

Unmanaged

If the computer is not on the domain, then it is unmanaged. The user or IT admin is responsible for storing the key. It is likely stored in a text file, printed, or saved in LastPass, or to a Microsoft account.