I suggest you ...

Implement BitLocker To Go in MBAM.

Most users will encrypt their USB-Media with BitLocker To Go, move Data on it and remove it from Device.
To have recovery key in MBAM database, the USB-Device needs to be connected in unlocked state at the Computer while MBAM Agent will perform it's cycle.

There should be an implementation of BitLocker To Go to store recovery keys in MBAM Database through policy.

16 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Tobias KruegerTobias Krueger shared this idea  ·   ·  Admin →

    2 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Tobias KruegerTobias Krueger commented  · 

        This settings is enabled. Anyway, the enduser is not able to perform a selfservice recovery in MBAM selfservice portal if he removes the usb-drive right after encryption.

      • BrettBrett commented  · 

        There is a BitLocker setting to require backup to AD before encryption begins, specifically to prevent this from happening. Have you tested that and still experience this issue with removable drives?

        https://technet.microsoft.com/en-us/library/jj679890(v=ws.11).aspx#BKMK_rec3

        "If you select Require BitLocker backup to AD DS, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible."

      Feedback and Knowledge Base