Missing MBAM recovery keys

Marek G 151 Reputation points

Hi all
i have questation about recovery keys in MBAM database. We have many computers without keys saved in MBAM database, but only stored in AD.Is possible from client resend,regenerate recovery keys ? etc mbam with parameters , or powershell ?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,748 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Teemo Tang 11,336 Reputation points

    Unfortunately, no.
    When the Microsoft BitLocker Administration and Monitoring (MBAM) solution is deployed to clients, it enables a user- or policy-initiated encryption of the local volumes using BitLocker and stores the recovery key in the MBAM SQL Server database for easy lookup by the user or the Help desk.
    If a machine is already BitLocker-encrypted before the MBAM client is installed, then when the MBAM client is installed, the recovery key is extracted from the machine’s local store and sent to the MBAM SQL Server database. It’s not possible for MBAM to perform a bulk extraction from AD and populate its SQL Server data store.
    There is a good example for you to understand manage bitlocker through MBAM of already encrypted machine, try the thread here to see if can help you.
    Transfer Bitlocker Recovery Key and TPM info from AD to MBAM during domain migration


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Marek G 151 Reputation points

    thank you,
    but we use MBAM some years and now after migrate to windows 10 1909 we lost some mbam recovery keys. this keys is in ad. We can extract from ad and insert to mbam database, but exist solution how send this keys from pc ? Etc we can try reinstall client, upgrade client to new version. Or exist some command to regenerate key and send to mbam database ? or mbam klient check existence recovery keys and if missig resend this ?

  3. Christian 21 Reputation points MVP

    Hello @Marek G ,

    I wouldn't advise using the script but finding the underlying cause of the issue. There could be many reasons why the keys weren't escrowed to the MBAM database. The following links below will be helpful to you.

    I would say, saving the recovery key to AD is just to avoid a single point of failure and you have to ensure these devices have their recovery keys saved to AD. In this way, they will be able to perform self-service recovery of the keys and the helpdesk will also be able to help recover their keys.

    Lastly, a thorough understanding of the MBAM report will help you as well: https://techdirectarchive.com/2022/02/07/mbam-enterprise-compliance-computer-compliance-and-recovery-audit-report-understanding-the-microsoft-bitlocker-administration-and-monitoring-mbam-reports-fields/

    For more queries, I will be very happy to help you. Kindly leave a comment below.

    0 comments No comments