Get MBAM BitLocker Recovery Keys from Microsoft SQL Server

Retieve BitLocker Recovery Keys from microsoft sql

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. Therefore, customers find this solution very useful for managing client PCs with BitLocker that are domain-joined on-premises. In this article, we shall discuss how to Get MBAM BitLocker Recovery Keys from Microsoft SQL Server. Please see how to prevent Microsoft Teams from starting automatically on Windows, and How to deploy MBAM for BitLocker Administration.

Note: The functionality of MBAM has been incorporated into Microsoft Configuration Manager as Microsoft Configuration Manager BitLocker Management. Therefore, this article is also applicable to those managing BitLocker with Microsoft Endpoint Configuration Manager (Formerly SCCM). See Selfservice Recovery: Trellix BitLocker and fileVault Recovery.

Microsoft will end MBAM’s extended support in April 2026, requiring organizations to find alternative solutions. Without support or updates, MBAM’s functionality will no longer meet security standards or support future-proofing efforts.

Therefore, migrating to a suitable solution or Microsoft Endpoint Configuration Manager is recommended. Please see MBAM extended support ends April 2026: Find alternative solution. I will recommend you to also take a look this guide from Microsoft. You will find more practical insights here: How to deploy MBAM Client as part of a Windows Deployment.

Why Retrieve the Recovery Keys Directly From the SQL Server?

Why go through the hassle of retrieving MBAM BitLocker recovery keys directly from SQL Server when you can easily access them via the self-service portal, helpdesk portal, or Active Directory? Please see Backup existing and new BitLocker Recovery Keys to Active Directory.

When performing an MBAM upgrade. If the IIS service fails to survive the upgrade, the helpdesk and self-service portal may become unavailable. Accessing the database directly can be a fallback method. You may also not have the right privileges to access AD. Also, you might also not have the utilities installed to view BitLocker Recovery Information.

Therefore, Domain Admin rights to view this and also install the BitLocker Drive Encryption Administration Utilities on a Server. Please see “Install Remote Server Administration Tools on Windows 11“, and Unable to find my BitLocker Recovery Ke. Below are some other reasons.

Also, if your organization has custom scripts or tools that automate key retrieval or integrate recovery keys with other systems. Direct access to the SQL database might be required to maintain this automation.
SQL queries allow for advanced customization and fine-grained filtering. For instance, you can quickly search for keys associated with specific computers, users, or encryption statuses that might not be easily available through standard portals.
Lastly, If you need to retrieve a large number of recovery keys at once for reporting, migration, or auditing purposes. Accessing them directly from SQL Server might be more efficient than querying each key individually via other platforms.

Please see MBAM Policy was detected: Verify the OU used for pre-deployment does not apply MBAM policy. Also, see how to Fix An error has occurred during report processing (rsProcessingAborted), and how does Key Rotation work in MBAM.

Query and Force BitLocker Recovery

We have previously discussed this step in this article extensively “Force BitLocker Recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk“. As you can see, the device is correctly encrypted.

All you need to do is to launch the Command Prompt or PowerShell window and type the following command below depending on the drive you wish to initiate the recovery on. In this case, we are forcing the BitLocker recovery mode. Others reasons for this prompt could be: BIOS and TPM change, OS Files Modification and lost pins etc. You can read more about BitLocker Windows Update Shutdown or Reboot option behavior.

manage-bde -ForceRecovery C:

Upon restart, the BitLocker Recovery screen will be invoked.

Note: If you are testing on a VM or physical server. You may want to disable secure boot and this will prompt the recovery window upon restart. This is only possible when secure boot was enabled before the BitLocker encryption was enabled.

Also, see Force immediate MBAM Encryption: Why does the MBAM Agent delay most times in encrypting devices, how to Visualize MBAM Recovery Audit Report with Python, and how to Query MBAM to display the BitLocker Recovery report

Access the Recovery Key saved in Microsoft SQL Server

To do this, you will need to launch the SQL Management Studio as shown below.

Expand the MBAM_Recovery_and_Hardware database. Under Tables, select RecoveryAndHardwareCore.Keys.

Then, right-Click RecoveryAndHardwareCore.Keys, and Select Top 1000 Rows. This will query that will give you a list of all RevoveryKeyID’s and RecoveryKey’s in the Database.

Now, to search for a specific Recovery Key for a device/drive/ Kindly add the following line to the query as well.

WHERE RecoveryKeyId LIKE ‘B2..-...-....-...C5%’;

SELECT TOP (1000) [Id],
      [LastUpdateTime],
      [VolumeId],
      [RecoveryKeyId],
      [RecoveryKey],
      [RecoveryKeyPackage],
      [Disclosed]
FROM [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Keys]


WHERE RecoveryKeyId LIKE 'B2..-...-....-...C5%';

Because the device was just encrypted recently and has not the recovery key ha not been escrowed yet to the database. The result field is empty. Else, it would have returned an error if something was incorrect.

Please see how to correctly disable BitLocker on Windows Server, Fast Boot Options: Fix specific Drive issue with BitLocker [MBAM], and “Understanding Microsoft BitLocker Administration and Monitoring Roles“.

Query Recovery Key ID from the Helpdesk Port or Self-service Portal.

We have dealt with this topic extensively as well in the past as referenced in the link above ‘Force BitLocker Recovery: Perform BitLocker Recovery via the Self-Service Portal and Helpdesk”. I will just show you that the key cannot be queried just yet.

This is because, by default. The MBAM client has a 90-minute random delay, upon startup, before communicating with the Administration and Monitoring server. This was designed to reduce the load on the MBAM server during the initial deployment of the MBAM client. Please see Force immediate MBAM Encryption: Why does the MBAM Agent delay most times in encrypting devices for more information

Get Recovery Key Password from Active Directory

Storing recovery keys in Active Directory ensures they are available even if other systems, like the self-service portal or helpdesk platform, fail. By saving the keys in a centralized, replicated environment like AD, you mitigate the risk of single point of failure.

Furthermore, Active Directory integrates with other security features such as Group Policy and delegated permissions. This allows administrators to control who can access recovery keys. This enhances security by ensuring that only authorized personnel have the rights to retrieve or manage the keys.

BitLocker recovery in AD — When recovery keys are stored in Active Directory, IT administrators can search and retrieve recovery keys directly from AD using tools like Active Directory Users and Computers (ADUC) or PowerShell commands. This eliminates the need for more complex processes like querying SQL databases or using third-party platforms

FAQs

How do I determine whether the MBAM agent is installed and configured on a client computer?

To determine whether the MBAM agent is installed on a client computer, check for the BitLocker Management Client Service in the Windows Services Manager. If MBAM is installed, this service should be present and configured to start automatically. Additionally, verify that MBAM Group Policy settings are applied by checking the Windows Registry. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement and confirm that this key exists and contains values corresponding to the configured Group Policy settings. If both the service and registry key are present, the MBAM agent is installed and active on the client machine.

What happens when an MBAM-managed PC is deleted from Active Directory and the MBAM agent is removed from the device?

When a PC is deleted from Active Directory (AD) and the MBAM agent is uninstalled, the device is no longer managed by MBAM. However, the device record remains in SQL Server Reporting Services (SSRS) with its last known contact date. This is because MBAM stores historical compliance and encryption status data in the Compliance and Audit Database, which is not automatically purged upon device deletion. To fully remove the device from MBAM reporting, administrators must manually delete the record from the MBAM database using SQL queries or allow it to age out.

Can I unlock a BitLocker-encrypted Device using a USB keyboard?

Yes, most laptops support USB keyboards at the BitLocker recovery screen,. This allows you to enter the 48-digit recovery key even if the built-in keyboard is not working.

I hope you found this article very useful on “Get MBAM BitLocker Recovery Keys from Microsoft SQL Server’. Please feel free to leave a comment below.