Jump to content


How does Key Rotation work in the BitLocker Managment feature in ConfigMgr

Recommended Posts


Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities.

In a previous blog post you looked at the Self Service feature for end users and then you looked at the Help Desk feature. But what happens on the client and in the database once the recovery key has been disclosed (via the  Help Desk)? The Recovery Key and Recovery Key ID will rotate.

Note: Disclosing the Recovery Key using Self Service does not cause the key to rotate.

What is Key Rotation

Key rotation allows admins to use a single-use key (via the  Help Desk) for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises in the ConfigMgr Database.

Source – https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

The helps to prevent a rogue Help Desk user from trying to decrypt contents of the computer without permission because once the key is used by the user, it’s rotated and therefore useless.


Key Rotation

If you look in SQL with the following query, you can view the recently used recovery key id’s and associated recovery key’s and whether they were disclosed or not via the Disclosed column. Change the CM_P01 to match your own ConfigMgr database name.

/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [Id]
FROM [CM_P01].[dbo].[RecoveryAndHardwareCore_Keys]



Once the key has been disclosed, the MBAM agent on the client computer will force it to rotate, and you can see the new recovery id and recovery password on the host below.



And that is mirrored in SQL.



And you can reveal that change on the client itself via Event Viewer, in the MBAM Operational logs, look for event ID 30.



Note: The recovery key will also rotate on devices already encrypted using Bitlocker if they are added to a collection that has Bitlocker Management policies deployed to it. For more information about that see this post.

Related reading

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.