Share via


Configuring MDM Recovery Password Service

2/9/2009

In Mobile Device Manager (MDM) Shell, the following cmdlets let you configure several settings for the Recovery Password service in MDM 2008 SP1. The Recovery Password service provides a recovery password to users who want to reset the password on their managed devices. For more information about password reset, see Configure Password Reset in MDM.

MDM Shell Cmdlet Description

Get-MDMDeviceRecoveryPassword

Returns the recovery password for a specified device. This cmdlet invokes the password recovery Web service, which requests the password from the database. With this request, the appropriate encrypted recovery password is retrieved from the database and decrypted with a private key. The decrypted recovery password is returned to the cmdlet. This cmdlet is referenced by MDM Console, Windows Powershell, and MDM Self Service Portal. Only the SCMDMDeviceAdmins, SCMDMDeviceSupport, and SCMDMSelfServiceServers groups are authorized to call this cmdlet.

Update-MDMDeviceRecoveryPassword

Instructs a specified device to generate a new recovery password and send it to the server in the next two device management sessions; or instructs all devices to generate a new recovery password and send it to the server in the next device management session. To use this functionality, you must install the password recovery components on the device and enable the User Reset of password Group Policy setting. A device also automatically renews its recovery password every time a password reset operation is completed successfully. Do not run this cmdlet as part of normal operations because it is designed for recovery scenarios only.

Get-MDMDeviceStatus

Returns a binary status of the recovery password, if one is available in the Device Registration database. This cmdlet is referenced by MDM Console and MDM Self Service Portal. The Display Recovery Password button is disabled in MDM Console and MDM Self Service Portal if the cmdlet returns that the recovery password is not available. The SCMDMDeviceAdmins, SCMDMDeviceSupport, SCMDMHelpdeskOperator, and SCMDMSelfServiceServers groups are authorized to call this cmdlet. This cmdlet does not return the encrypted or decrypted recovery password; its result is limited to a binary status.

Update-MDMDeviceRecoveryPasswordEncryptionKey

Generates a new pair of encryption keys. This cmdlet deletes all recovery passwords currently stored on the server because the private key that is needed to decrypt them is replaced with a new one. This cmdlet also updates the tasks in the Device Management database (TEEDB) to cause all devices to generate new recovery passwords and encrypt them with the new key.

Do not run this cmdlet as part of normal operations; run this cmdlet only in a disaster recovery scenario when the recovery passwords in the database are lost, or if the security of the private encryption key has been compromised.

See Also

Reference

Get-MDMDeviceRecoveryPassword
Update-MDMDeviceRecoveryPassword
Update-MDMDeviceRecoveryPasswordEncryptionKey

Concepts

Configure Password Reset in MDM