I tested this scenario too but without MBAM because I don't have one.
- create user 1 and user 2
- logon with user1 and turn BitLocker on, save the recovery key file
- logon with user2, decrypt the volume, turn BitLocker off then turn it on again to encrypt it, save the recovery key file
- compare two recovery key files
Conclusion: Each encryption will generate a new recovery key. Recovery IDs are also different.
So I think it's normal that user 1 and user2 both have recovery ID in their self service portal.
But during my test, I found that when I logon with user2, I can see file and file folder of user1 when I choose to save a file. The files and folders were created on user1's desktop. I cannot see them on user2's desktop so I cannot try whether I can open them but they did appear when choosing where to put newly-created files.
So if two users use same computer, they may both have access to some data in the PC. This might be a risk.
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is odd.
I'm not familiar with MBAM but I think that using self service portal to get the recovery key needs key ID provided by the recovery prompt. Do you mean that the key ID provided in the prompt for both user1 and user2 are also same? I suggest to check it.
This is the prompt when choosing to unlock with recovery key. If you encrypted C drive the prompt should be a blue screen with full recovery ID.
I'm not sure whether MBAM has a feature to delete old recovery records. But recovery ID should not be same for two encryption operations and will change after you turn off the BitLocker then turn on again.