bitlocker recovery key question

Jeffrey Tucker 346 Reputation points
2021-01-21T19:36:41.877+00:00

hello.

starting to deploy Bitlocker via MECM. currently testing. i got a successful deployment of the BL settings to a test machine. i want to be sure that i can get the proper information to recover if a user calls needing it for whatever reason. i know that i can get all the required info from a manually enabling BL from Windows. i tried to backup recovery info to AD objects and got errors. so i went route to do a SQL query. this returned info. however info does not seem relevant compared to what i get running command "manage-bde -protectors c: -get". the query returned the recovery key of a very long number. the SQL query i run is the following:

use [CM_CTW];
select a.Id, a.Name, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime from dbo.RecoveryAndHardwareCore_Machines a
inner join dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name LIKE 'RANDOMNAME%'

thanks

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. AllenLiu-MSFT 46,291 Reputation points Microsoft Vendor
    2021-01-22T06:26:59.393+00:00

    @Jeffrey Tucker
    Thank you for posting in Microsoft Q&A forum.
    The recovery key is encrypted in SCCM database, there is no direct query we can use for this.
    Have you reviewed below article to try to decrypt it:
    https://geekdudes.wordpress.com/2020/03/25/sccm-get-decrypt-bitlocker-recovery-keys-from-the-configmgr-database/

    On the other hand, we may try to set up BitLocker portals and use BitLocker administration and monitoring website, the BitLocker administration and monitoring website is an administrative interface for BitLocker Drive Encryption. It's also referred to as the help desk portal. Use this website to review reports, recover users' drives, and manage device TPMs.
    For the details:
    https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/setup-websites


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Gary Blok 1,746 Reputation points
    2021-01-21T22:13:18.927+00:00

    Recovery Keys for Bitlocker will look like:59249-image.png

    1 person found this answer helpful.
    0 comments No comments

  2. Bagitman 586 Reputation points
    2021-01-22T19:30:03.94+00:00

    I like to remind people that handing the recovery key to users (for whatever reason) means to lose all control. With that key, users may manipulate or copy all data on it (and of course decrypt it or make themselves admin). Recovery keys should only be entered by support personnel, giving them to users is (security-wise) a very bad idea.
    (just be aware of that)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.