How to Access the MBAM BitLocker Recover Keys directly in SQL

2

Today I was working with a customer that wanted upgrade MBAM from 2.0 to 2.5 SP1. It was a simple stand-alone configuration with a two server setup.

Deployed exactly like this example: https://support.microsoft.com/en-us/kb/3046555. Great guide.

The upgrade process is (normally) pretty straight forward. Basically, you need to back up the database, uninstall the old version of MBAM, Install the new version of MBAM and then run the configuration wizard. But in this scenario the IIS service didn’t survive the upgrade, so the helpdesk and the self-service portal wasn’t working.

So while we’re trying to fix this problem, helpdesk calls for BitLocker recovery keys started to come in. So how do we access the recovery keys without a working portal?

Luckily everything is stored in SQL, so with a little query and some magic, we can continue to support our users.

To access the 48 digit recovery key saved in SQL, you need to perform the following steps:

  1. Open the SQL Management Studio, and Expand the MBAM_Recovery_and_Hardware database.
  2. Under Tables, Select RecoveryAndHardwareCore.Keys.
  3. Right-Click RecoveryAndHardwareCore.Keys, and Select Top 1000 Rows.

  4. This should create a query that will give you a list of all RevoveryKeyID’s and RecoveryKey’s in the Database.

  5. If you want to search for a specific Recovery Key, then you can add the following line to the query:

    WHERE RecoveryKeyId LIKE ‘fcc%’

That’s it… Enjoy.

About Author

My name is Ronni Pedersen and I'm currently working as a Cloud Solution Architect at EG A/S in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

2 Comments

  1. Pingback: How to Access the MBAM BitLocker Recover Keys directly in SQL | dbazzone

  2. Christoph Voigt on

    I highly recommend to set DISCLOSED to true in such cases, otherwise the mbam client won’t change the recovery key once your portal and web service are up again, leading to an eternally active recovery key (which users like to print out and take with them, because, well, it’s handy).

Leave A Reply