This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hi all
i have questation about recovery keys in MBAM database. We have many computers without keys saved in MBAM database, but only stored in AD.Is possible from client resend,regenerate recovery keys ? etc mbam with parameters , or powershell ?
thanx
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 74%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHY%3C/text%3E%3C/svg%3E)
Yes, if you are still looking there is a PS to send the key to MBAM but if your devices are Azure AD joined then you can save it in Azure AD.
Unfortunately, no.
When the Microsoft BitLocker Administration and Monitoring (MBAM) solution is deployed to clients, it enables a user- or policy-initiated encryption of the local volumes using BitLocker and stores the recovery key in the MBAM SQL Server database for easy lookup by the user or the Help desk.
If a machine is already BitLocker-encrypted before the MBAM client is installed, then when the MBAM client is installed, the recovery key is extracted from the machine’s local store and sent to the MBAM SQL Server database. It’s not possible for MBAM to perform a bulk extraction from AD and populate its SQL Server data store.
There is a good example for you to understand manage bitlocker through MBAM of already encrypted machine, try the thread here to see if can help you.
Transfer Bitlocker Recovery Key and TPM info from AD to MBAM during domain migration
https://social.technet.microsoft.com/Forums/windows/en-US/70ee8993-35b5-4bad-9767-e2ce940214c7/transfer-bitlocker-recovery-key-and-tpm-info-from-ad-to-mbam-during-domain-migration?forum=mdopmbam
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 0%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
MBAM will only be able to override a BitLocker-protected device only if the same encryption mechanism is employed. Otherwise, you will have to decrypt and re-encrypt using MBAM.
thank you,
but we use MBAM some years and now after migrate to windows 10 1909 we lost some mbam recovery keys. this keys is in ad. We can extract from ad and insert to mbam database, but exist solution how send this keys from pc ? Etc we can try reinstall client, upgrade client to new version. Or exist some command to regenerate key and send to mbam database ? or mbam klient check existence recovery keys and if missig resend this ?
thanx.
What i can come up with is decrypting clients and re-encrypting, BitLocker will generate recovery key, keep these key to MBAM is ok
Hello @Marek G ,
I wouldn't advise using the script but finding the underlying cause of the issue. There could be many reasons why the keys weren't escrowed to the MBAM database. The following links below will be helpful to you.
I would say, saving the recovery key to AD is just to avoid a single point of failure and you have to ensure these devices have their recovery keys saved to AD. In this way, they will be able to perform self-service recovery of the keys and the helpdesk will also be able to help recover their keys.
Lastly, a thorough understanding of the MBAM report will help you as well: https://techdirectarchive.com/2022/02/07/mbam-enterprise-compliance-computer-compliance-and-recovery-audit-report-understanding-the-microsoft-bitlocker-administration-and-monitoring-mbam-reports-fields/
For more queries, I will be very happy to help you. Kindly leave a comment below.