SOLVED

Bitlocker on Virtual Machines

%3CLINGO-SUB%20id%3D%22lingo-sub-80712%22%20slang%3D%22en-US%22%3EBitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80712%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Bitlocker%20supported%20on%20virtual%20servers%3F%20We%20would%20like%20to%20implement%20virtual%20domain%20controllers%20and%20understand%20that%20Bitlocker%20cannot%20be%20used%20on%20Server%202012%20R%40%20virtual%20machines.%20Is%20it%20supported%20on%20Server%202016%20virtual%20machines%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80770%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80770%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20asking%20the%20question%20to%20see%20what%20the%20options%20are%20without%20MBAM.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80766%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80766%22%20slang%3D%22en-US%22%3EManaging%20your%20own%20key%20escrow%3F%20You're%20brave!%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80736%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80736%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20without%20MBAM%20support%2C%20what%20are%20the%20options%20for%20server%20encryption%20recovery%3F%20Manually%20capture%20the%20recovery%20key%20and%20store%20in%20key%20safe%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80726%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80726%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20however%20there%20is%20a%20challange%20which%20is%20that%20MBAM%20doesn't%20support%20servers%20yet.%26nbsp%3BWithout%20MBAM%20you%20can%20still%20use%20BitLocker%20but%20it%20won't%20be%20as%20manageable%20as%20some%20customers%20would%20like.%20You%20won't%20get%20reporting%20or%20self%20service%20recovery.%20Some%20customers%20feel%20these%20capabilities%20are%20primarily%20for%20client%20OS.%20We%20tend%20to%20agree%20but%20we%20plan%20to%20add%20such%20functionality%20in%20the%20future.%20Based%20on%20priorities%20it%20won't%20happen%20any%20time%20soon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Chris%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1046685%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20on%20Virtual%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1046685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52335%22%20target%3D%22_blank%22%3E%40Michael%20Brunker%3C%2FA%3E%26nbsp%3Byou%20can%20store%20your%20Bitlocker%20keys%2C%20for%20your%20servers%2C%20in%20Active%20Directory.%20In%20can%20be%20done%20by%20utilizing%20the%20Bitlocker%20GPO%20and%20applying%20it%20to%20the%20respective%20OU%20where%20the%20computer%20resides.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is Bitlocker supported on virtual servers? We would like to implement virtual domain controllers and understand that Bitlocker cannot be used on Server 2012 R@ virtual machines. Is it supported on Server 2016 virtual machines?

5 Replies
best response confirmed by Michael Brunker (Occasional Contributor)
Solution

Yes, however there is a challange which is that MBAM doesn't support servers yet. Without MBAM you can still use BitLocker but it won't be as manageable as some customers would like. You won't get reporting or self service recovery. Some customers feel these capabilities are primarily for client OS. We tend to agree but we plan to add such functionality in the future. Based on priorities it won't happen any time soon.

 

-Chris 

So without MBAM support, what are the options for server encryption recovery? Manually capture the recovery key and store in key safe?

Managing your own key escrow? You're brave! :)

Just asking the question to see what the options are without MBAM.

@Michael Brunker you can store your Bitlocker keys, for your servers, in Active Directory. In can be done by utilizing the Bitlocker GPO and applying it to the respective OU where the computer resides.