Jump to content


  • 0
soultrain99

How can I retrieve a Recovery Key for a machine no longer in AD

Question

Setting:

I have an MBAM server 2.5. sp1 which is integrated with SCCM 2012 r2. The Recovery Keys are in its DB as well as AD.

 

Scenario:

I took a hard drive out of a machine (WS1) and placed into a USB HD enclosure which i attached to another machine (WS2).`The drive came up saying it's encrypted and if i try to unlock it, It asked for the Recovery PW.

 

I noticed that when i used the the self-service page to recover a the password it said "invalid Key"

 

I looked at the SQL and ran this query:

SELECT TOP 1000 [Id]
      ,[LastUpdateTime]
      ,[VolumeId]
      ,[RecoveryKeyId]
      ,[RecoveryKey]
      ,[RecoveryKeyPackage]
      ,[Disclosed]
  FROM [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Keys]

I saw the Recovery ID key in SQL and tried it via AD and it gave me the same password.

When i opened the AD object and looked under the bitlocker Tab i saw all the recovery IDs there was one that was never made it to MBAM DB. I used that one and it unlocked.

 

I have 2 questions:

1) How can it populate the MBAM DB simultaneously as AD?

2) Lets say that I had removed the (WS1) computer 1 year ago and needed to recover the data. Where would i find the key?

 

I just want to make the recovery process as painless as possible for the Helpdesk.

 

 

 

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0

That doesn't seem right to me. This is how it works for me:

 

We activate BitLocker in the task sequence which stores the recovery key in AD. The MBAM client and group policy kick in later and the key is escrowed to the MBAM database. The MBAM database is then the authoratitive source as if the user changes the BitLocker password the recovery key is changed in the MBAM database but not in AD.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.