This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 5%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi everyone,
we've got an issue with Bitlocker recovery keys after migrating our MECM Server from one VM (Server 2012 R2) to a new one (Server 2019) with the same name and IP-address.
Since we migrated the server with a fullbackup-recovery and did all the post actions that had to be done, we realized a problem with the MBAM HelpDesk website. The website can be accessed by all helpdesk-users and the search for recovery keys seems to be working fine, except the fact that there are no recovery keys shown in the "Drive Recovery Key" section:
When we checked the database entries we can see, that there are all entries available and we can see, that the keyID has a dataset, too:
We checked database access for all user- and service-accounts and can't find any problems with that. Even with db_owner rights for all accounts involved, there is no change in the behaviour.
Clients are able to update there keys in the database by the way, but we are not able to get the recovery keys.
We are thankful for every idea we can check out to resolve the problem.
Thanks ahead!
Hi everyone,
first of all, thanks for your help and your suggestions. With some help by "Computacenter", we were finally able to solve the problem.
We needed to export the masterkey out of the old database and imported it again into our new database. After the successful migration of the server, we only did this with the bitlocker certificate, but missed the masterkey. If someone has the same problem in the future, just use the same procedure:
USE CM_T01;
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'Bitlocker masterkey password';
BACKUP MASTER KEY TO FILE = 'C:\Cert\CM_T01_master_key'
ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password';
GO
Use CM_T01
RESTORE MASTER KEY FROM FILE = 'C:\Cert\CM_T01_master_key'
DECRYPTION BY PASSWORD = 'Bitlocker masterkey password'
ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password'
FORCE
USE CM_T01
IF NOT EXISTS (SELECT name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
BEGIN
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Bitlocker masterkey password'
END
IF NOT EXISTS (SELECT name from sys.certificates WHERE name = 'BitLockerManagement_CERT')
BEGIN
CREATE CERTIFICATE BitLockerManagement_CERT AUTHORIZATION RecoveryAndHardwareCore
FROM FILE = 'C:\Cert\BitLockerManagement_CERT'
WITH PRIVATE KEY ( FILE = 'C:\BitLockerManagement_CERT_KEY',
DECRYPTION BY PASSWORD = 'Bitlocker exportkey password')
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareRead
GRANT CONTROL ON CERTIFICATE ::BitLockerManagement_CERT TO RecoveryAndHardwareWrite
END
Afterwards everything worked for us like a charm.
Probably this helps someone in the future facing the same problem.
Again thank you all for your time and thoughts!
Regards
st3ff
We're glad that the problem is solved now and thank you for the sharing.
Hi, @26496502
Thank you for posting in Microsoft Q&A forum.
It looks a strange issue, have we checked the BitLockerManagementHandler.log on client to see if there any error or related event message?
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Allen,
thanks for your suggestions.
I created a completely new client for testing and checked the BitlockerManagementHandler.log and the only error I can find is "Failed to check enrollment url, 0x00000001:" from time to time. But not everytime the compliance rule is checking for compliance.
What I can see in the MBAM Admin event Log is the warning:
"Unable to connect to the MBAM Recovery and Hardware service.
Error code:
-2147024809"
In the MBAM Operational log everything seems to be fine.
If you would be so kind to cross-check the log, I attached the log of the newly created client, which indeed does not start to encrypt drives and doe not communicate with the database.
Hi, @26496502
You can see the warning in the MBAM Admin event Log "Unable to connect to the MBAM Recovery and Hardware service."
It might means the value of MBAM Compliance Status Service or Recovery and Hardware Service is incorrect.
We may need to verify the values of KeyRecoveryServiceEndPoint and StatusReportingServiceEndpoint under the following registry subkey on the client computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
For more details, please refer to:
https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/troubleshooting-mbam-installation#troubleshooting-mbam-agent-communication-issues
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hi @AllenLiu-MSFT ,
thanks again for your answer.
I checked the mentioned registry keys and had to realize, that there is no "KeyRecoveryServiceEndPoint" key and the "StatusReportingServiceEndpoint" key has no value.
Afterwards I created the "KeyRecoveryServiceEndPoint" key and filled in the correct values for both keys.
When I ran the compliance check on the client, after about 3 minutes, I got the same error message as before and when I check the registry, I found the same status as before, so the "KeyRecoveryServiceEndPoint" key had been deleted and the "StatusReportingServiceEndpoint" key has no value.
Do you have any suggestions, how this behaviour can happen?
Thanks again!