How does Key Rotation work in MBAM integrated with SCCM ?


Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities as well as updates to Reporting.

In a previous blog post you looked at the Self Service feature for end users and then you looked at the Help Desk feature. But what happens on the client and in the database once the recovery key has been disclosed (via the  Help Desk)?

The Recovery Key and Recovery Key ID will rotate.

Note: Disclosing the Recovery Key using Self Service does not cause the key to rotate.

What is Key Rotation

Key rotation allows admins to use a single-use key (via the  Help Desk) for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises in the ConfigMgr Database.

Source –
Note: Additions from me in Italics.

This helps to prevent a rogue Help Desk user from trying to decrypt contents of a BitLockered computer without permission, because once the Recovery Key is given to the user via the Help Desk, it is then rotated on the Client and the new Recovery Key and Recovery Key ID are transferred to the Server, and therefore the old Recovery key becomes useless.

A deeper look at Key Rotation

Before a Recovery Key is rotated, you can find out what values you have on a client by issuing the following command in an Administrative command prompt.

Manage-bde -protectors -get c:

The first 8 characters of the Numerical Password listed below (Numerical Password is essentially the Recovery Key ID in SQL) are used to unlock drives that are in BitLocker Recovery mode via the Help Desk feature (or Self Service).

If you then look in SQL Server on the computer hosting the ConfigMgr database, you can view recently used Recovery Key ID’s and associated Recovery Key’s and whether they were disclosed or not via the Disclosed column.

/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [Id]
FROM [CM_P01].[dbo].[RecoveryAndHardwareCore_Keys]

Note: Change the CM_P01 to match your own ConfigMgr database name. If a Recovery Key has been disclosed (by a Help Desk user) it will have a value of 1.

Once a Recovery Key has been disclosed using the Help Desk feature, the MBAM agent on the client computer will force it to rotate, and below you can see the new recovery id and recovery password on the host below.

And those new values are transferred (escrowed) to the ConfigMgr database in SQL.

And you can reveal that change on the client itself via Event Viewer, in the MBAM Operational logs, look for event ID 30.

Related reading

This entry was posted in Key Rotation, MBAM helpdesk, MBAM SelfService. Bookmark the permalink.