Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (2023)

asked 2022-12-19T18:16:37.75+00:00 by

Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (1)

JG 266Reputation points

I have found a few articles thats say to add this entry into the web.config file for the MBAM recovery site in IIS:

serviceHostingEnvironment multipleSiteBindingsEnabled="true"

Do i need to add this setting?

<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
</serviceHostingEnvironment>
</system.serviceModel>

https://www.agdiwo.com/en/bitlocker-management-in-memcm/

https://www.reddit.com/r/SCCM/comments/i4y49e/cmg_ehttp_with_mbam_on_mp/

i have a couple of machines that im testing migrating from MBAM to SCCM (although we have migrated a number of machines already) -moved these to be managed by configmgr this morning (on lan), they have no errors in the bitlockermanagementhandler log (rebooted several times) and say they have escrowed the key to the DB and are compliant.
There is an existing recovery key for one of the laptops -lastupdatetime is august (it was reimaged this week) and the other laptop has no record at all in DB. Both have tpm+pin and a Numerical password set when you show the protectors on them in cmd and are encrypted.
(have just checked another machine and it also has no recoverykey in the DB).

I'm now wondering if the DB isnt getting updated with some recovery keys and if i need to add the setting above into the web.config file?

Also, should there be a KeyRecoveryServiceEndpoint value under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement ?
(UseKeyRecoveryService is set to 0)

we are using ConfigMgr 2203 and eHTTP

thanks

Microsoft Configuration Manager

Microsoft Configuration Manager

An integrated solution for for managing large groups of personal computers and servers.

2,739 questions

2 answers

Sort by: Most helpful

Most helpful Newest Oldest

  1. answered 2022-12-20T09:30:50.88+00:00 by

    Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (2)

    CherryZhang-MSFT 3,451Reputation points Microsoft Employee

    Hi @JG ,

    Thanks for your information!

    According to your description, you want to migrate from ABAM to SCCM, most of the clients migrated successfully, and only two laptops had problems with not being able to get the recovery key, right?
    (Note: If I misunderstand something, please let me know! Thank you!)

    1, As far as I know, there is more than one reason why the client cannot get the recovery key, have you check the BitlockerManagementHandler.log in laptops? Is there any useful information? If the client's situation is exactly as described in the article you shared. Maybe we can try the above solution on a test machine. Otherwise, we may need to analyze why it cannot get the recovery key.

    2, The following situations may also be worth considering:

    1) Group policy
    2) TPM password hash
    3) Re-encryption

    If I misunderstand something, please let me know! I will do more research, if I have any useful information, I will be sharing for you. Thanks for your time!

    Best regards,
    Cherry

    0No comments

      Sign in to comment

    1. answered 2022-12-20T11:12:57.66+00:00 by

      Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (3)

      JG 266Reputation points

      Hi,

      Thanks @CherryZhang-MSFT
      Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (4) Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (5)Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (6)
      So the main issue is that i now have discovered another machine- so far 3 in total that have said they have escrowed their recovery key to the MP, however, no recovery key exists for that machine when i query the DB with SQL.
      I can find recovery keys for others, but now im worried that something has changed and machines are saying they are compliant because they think they have escrowed their key- but they have not and we have no way to recover them.
      Im now worried that there's machines that actually have no recovery key in the DB, so we will have no way to recover data off them if required

      Existing machines are moved out of the MBAM OU to a new OU with no bitlocker related GPOs. Newly imaged machines are put into this new OU with no existing bitlocker GPOs
      The logs on clients all say they have escrowed the recovery key to the MP

      I did an in-place OS upgrade of my MP on 14th Nov from w2012r2 to W2019 and wondering if this has caused any changes in IIS- thats why i asked if adding that setting was neccessary\required.

      here are the bits from the logs for the first escrow task:
      laptop A (migrated from MBAM)
      Executing key escrow task.BitlockerManagementHandler19/12/2022 11:02:064012 (0x0FAC)
      Volume \?\Volume{db471b45-1956-4956-a4e1-7a355c81f7e4}\ of type 1 has compliance status 1BitlockerManagementHandler19/12/2022 11:02:064012 (0x0FAC)
      Adding numerical password to volume \?\Volume{db471b45-1956-4956-a4e1-7a355c81f7e4}.BitlockerManagementHandler19/12/2022 11:02:064012 (0x0FAC)
      Key for volume {8D5AB368-9933-4125-9EE8-AE1D090A40A5} needs to be escrowed.BitlockerManagementHandler19/12/2022 11:02:074012 (0x0FAC)
      Added 1 volumes to message payloadBitlockerManagementHandler19/12/2022 11:02:074012 (0x0FAC)
      Sending message key escrow message.BitlockerManagementHandler19/12/2022 11:02:074012 (0x0FAC)
      Received server response '<InstantMessageReply Processed="1" />'BitlockerManagementHandler19/12/2022 11:02:074012 (0x0FAC)
      Recovery keys escrowed to MP.BitlockerManagementHandler19/12/2022 11:02:074012 (0x0FAC)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 11:03:248752 (0x2230)
      Expiring key escrow deadlineBitlockerManagementHandler19/12/2022 11:03:248752 (0x2230)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 11:04:2413256 (0x33C8)
      Executing key escrow task.BitlockerManagementHandler19/12/2022 11:04:2413256 (0x33C8)
      Volume \?\Volume{db471b45-1956-4956-a4e1-7a355c81f7e4}\ of type 1 has compliance status 1BitlockerManagementHandler19/12/2022 11:04:2513256 (0x33C8)
      Removing numerical password with ID {D2F3F464-3AA2-4176-8266-3B05B6FABB6F} from volume \?\Volume{db471b45-1956-4956-a4e1-7a355c81f7e4}\BitlockerManagementHandler19/12/2022 11:04:2513256 (0x33C8)
      Unable to delete registry key SOFTWARE\Microsoft\CCM\BLM\Escrowed{D2F3F464-3AA2-4176-8266-3B05B6FABB6F}. 0x80070002BitlockerManagementHandler19/12/2022 11:04:2513256 (0x33C8)
      Key for volume {8D5AB368-9933-4125-9EE8-AE1D090A40A5} does not need to be escrowed.BitlockerManagementHandler19/12/2022 11:04:2513256 (0x33C8)
      Nothing to escrowBitlockerManagementHandler19/12/2022 11:04:2513256 (0x33C8)
      SystemTask: Starting timer.BitlockerManagementHandler19/12/2022 11:23:114260 (0x10A4)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 11:23:114260 (0x10A4)
      Starting timer task.BitlockerManagementHandler19/12/2022 11:23:114260 (0x10A4)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 12:34:2611460 (0x2CC4)
      Executing key escrow task.BitlockerManagementHandler19/12/2022 12:34:2611460 (0x2CC4)
      Volume \?\Volume{db471b45-1956-4956-a4e1-7a355c81f7e4}\ of type 1 has compliance status 1BitlockerManagementHandler19/12/2022 12:34:2711460 (0x2CC4)
      Key for volume {8D5AB368-9933-4125-9EE8-AE1D090A40A5} does not need to be escrowed.BitlockerManagementHandler19/12/2022 12:34:2711460 (0x2CC4)
      Nothing to escrowBitlockerManagementHandler19/12/2022 12:34:2711460 (0x2CC4)

      Laptop B (migrated from MBAM)
      Executing key escrow task.BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Volume \?\Volume{d0e5d556-2299-4bf2-82ca-fe7c35d24a3c}\ of type 1 has compliance status 1BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Adding numerical password to volume \?\Volume{d0e5d556-2299-4bf2-82ca-fe7c35d24a3c}.BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Key for volume {D84B5EFF-DD4F-4BE4-A490-08704A16C27D} needs to be escrowed.BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Added 1 volumes to message payloadBitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Sending message key escrow message.BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Received server response '<InstantMessageReply Processed="1" />'BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Recovery keys escrowed to MP.BitlockerManagementHandler19/12/2022 10:58:3613128 (0x3348)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 10:59:2612664 (0x3178)
      Expiring key escrow deadlineBitlockerManagementHandler19/12/2022 10:59:2612664 (0x3178)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 10:59:2612664 (0x3178)
      Expiring key escrow deadlineBitlockerManagementHandler19/12/2022 10:59:2612664 (0x3178)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 11:00:262380 (0x094C)
      Executing key escrow task.BitlockerManagementHandler19/12/2022 11:00:262380 (0x094C)
      Volume \?\Volume{d0e5d556-2299-4bf2-82ca-fe7c35d24a3c}\ of type 1 has compliance status 1BitlockerManagementHandler19/12/2022 11:00:272380 (0x094C)
      Removing numerical password with ID {0EC28236-87DD-4FDD-A7D8-673C143014F5} from volume \?\Volume{d0e5d556-2299-4bf2-82ca-fe7c35d24a3c}\BitlockerManagementHandler19/12/2022 11:00:272380 (0x094C)
      Unable to delete registry key SOFTWARE\Microsoft\CCM\BLM\Escrowed{0EC28236-87DD-4FDD-A7D8-673C143014F5}. 0x80070002BitlockerManagementHandler19/12/2022 11:00:272380 (0x094C)
      Key for volume {D84B5EFF-DD4F-4BE4-A490-08704A16C27D} does not need to be escrowed.BitlockerManagementHandler19/12/2022 11:00:272380 (0x094C)
      Nothing to escrowBitlockerManagementHandler19/12/2022 11:00:272380 (0x094C)
      SystemTask: Starting timer.BitlockerManagementHandler19/12/2022 11:24:0810588 (0x295C)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler19/12/2022 11:24:0810588 (0x295C)
      Starting timer task.BitlockerManagementHandler19/12/2022 11:24:0810588 (0x295C)

      desktop (newly imaged machine)
      Starting timer task.BitlockerManagementHandler13/12/2022 13:23:236000 (0x1770)
      Adding numerical password to volume \?\Volume{7234aa1e-af9a-47a4-81a4-94dc8253cc01}.BitlockerManagementHandler13/12/2022 13:23:236000 (0x1770)
      Unable to read registry value KeyRecoveryOptions under key SOFTWARE\Microsoft\CCM\BLM. Recovery package will not be escrowed. 0x80070002BitlockerManagementHandler13/12/2022 13:23:246000 (0x1770)
      Added 1 volumes to message payloadBitlockerManagementHandler13/12/2022 13:23:246000 (0x1770)
      Sending message key escrow message.BitlockerManagementHandler13/12/2022 13:23:256000 (0x1770)
      Received server response '<InstantMessageReply Processed="1" />'BitlockerManagementHandler13/12/2022 13:23:266000 (0x1770)
      Recovery keys escrowed to MP.BitlockerManagementHandler13/12/2022 13:23:266000 (0x1770)
      Expiring key escrow deadlineBitlockerManagementHandler13/12/2022 13:28:339160 (0x23C8)
      Unable to read registry value KeyRecoveryOptions under key SOFTWARE\Microsoft\CCM\BLM. Recovery package will not be escrowed. 0x80070002BitlockerManagementHandler13/12/2022 13:29:336448 (0x1930)
      Removing numerical password with ID {43CAAD6A-16DC-4BF7-AA6F-516837B9A051} from volume \?\Volume{7234aa1e-af9a-47a4-81a4-94dc8253cc01}\BitlockerManagementHandler13/12/2022 13:29:336448 (0x1930)
      Added 1 volumes to message payloadBitlockerManagementHandler13/12/2022 13:29:336448 (0x1930)
      Sending message key escrow message.BitlockerManagementHandler13/12/2022 13:29:336448 (0x1930)
      Received server response '<InstantMessageReply Processed="1" />'BitlockerManagementHandler13/12/2022 13:29:346448 (0x1930)
      Recovery keys escrowed to MP.BitlockerManagementHandler13/12/2022 13:29:346448 (0x1930)
      Processing BitLocker Management Policy ScopeId_506F5099-79F7-43F9-981C-E9F24EDE97F2/ConfigurationPolicy_b0afbbd4-2f3e-45e8-b9be-a35f67f0cb2bBitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Processing BitLockerManagement Rule 'BitLockerManagementSettings_NoOverwritePolicy'. Enforcement is OFFBitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Not compliant with MBAM client installation.BitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Processing BitLocker Management Policy ScopeId_506F5099-79F7-43F9-981C-E9F24EDE97F2/ConfigurationPolicy_b0afbbd4-2f3e-45e8-b9be-a35f67f0cb2bBitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Could not check enrollment url, 0x00000001:BitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Processing BitLockerManagement Rule 'BitLockerManagementSettings_NoOverwritePolicy'. Enforcement is ONBitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Starting MBAM setup with command '"C:\WINDOWS\system32\msiexec.exe" /i "C:\WINDOWS\CCM\MBAMClient.msi" /qn /norestart /lv "C:\WINDOWS\CCM\LOGS\MBAMClientMSI.log" 'BitlockerManagementHandler13/12/2022 14:07:045864 (0x16E8)
      Processing group policy NoOverwritePolicy, enforce mode is ONBitlockerManagementHandler13/12/2022 14:07:155864 (0x16E8)
      Bitlocker Management rule BitLockerManagementSettings_NoOverwritePolicy is compliantBitlockerManagementHandler13/12/2022 14:07:155864 (0x16E8)
      Processing BitLockerManagement Rule 'BitLockerManagementSettings_ScCompliancePolicy'. Enforcement is ONBitlockerManagementHandler13/12/2022 14:07:155864 (0x16E8)
      Installed MBAM product version 2.5.1152.0BitlockerManagementHandler13/12/2022 14:07:155864 (0x16E8)
      Desired MBAM product version 2.5.1152.0BitlockerManagementHandler13/12/2022 14:07:155864 (0x16E8)

      1. Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (7)

        CherryZhang-MSFT 3,451Reputation points Microsoft Employee

        2022-12-21T08:54:20.747+00:00

        Hi @ GJ-4375,

        Thanks for your reply!

        > I did an in-place OS upgrade of my MP on 14th Nov from w2012r2 to W2019 and wondering if this has caused any changes in IIS- thats why i asked if adding that setting was neccessary\required.

        1, However, as you said, most clients have already migrated successfully.
        According to the log, all client displayed “Could not check enrollment url, 0x00000001”. Is there any difference between these failed clients and successful clients? This may be a breakthrough. Besides, could you please upload a full successful log and an unsuccessful log for our reference?

        2, For MP, please help check MPControl.log, if there are any useful information.

        Thank you for your time and patience!

        Best regards
        Cherry

      2. Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (8)

        JG 266Reputation points

        2022-12-23T12:16:46.25+00:00

        Thanks @CherryZhang-MSFT - We are finished for the festive period, but will pick this back up when we return in January. Happy Holidays :-)

      3. Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (9)

        CherryZhang-MSFT 3,451Reputation points Microsoft Employee

        2022-12-26T01:34:55.727+00:00

        Happy Holidays!

      4. Bitlocker recovery keys not in DB and web.config settings - Microsoft Q&A (10)

        JG 266Reputation points

        2023-01-10T12:29:28.263+00:00

        Hi @CherryZhang-MSFT

        So i have been doing some testing and i am able to recover the 2 test laptops and another, can see the keys rotating and keys escrowed to MP (via CMG :-)

        What i was checking was the last update time in the tables in sql, and this is how the issue has arisen-One laptop however, doesnt exist in the recoveryand hardwarecore_keys table in the DB.select * FROM [CM_CLY].[dbo].[RecoveryAndHardwareCore_Machines] where name in ('lap1','lap2','LAP3')

        IdLastUpdateTimeNameTpmPasswordHashDomainIdTpmPasswordHashHashTpmPolicyStateItemKey720575940379279992022-08-30 21:31:40.000LAP3NULL16777216NULL116790460720575940379284602022-09-21 12:04:49.000LAP1NULL16777216NULL116790410720575940379397342022-12-19 10:58:36.000LAP2NULL16777216NULL116791661

         select * from RecoveryAndHardwareCore_Keys as keys where Id in (&#39;72057594037927999&#39;,&#39;72057594037928460&#39;,&#39;72057594037939734&#39;)

        IdLastUpdateTimeVolumeIdRecoveryKeyIdRecoveryKeyRecoveryKeyPackage720575940379279992022-08-30 13:18:42.000720575940379279927be4fxxxxxx720575940379284602022-09-21 08:05:18.000720575940379284389c4axxxxxxx

        so Lap 2 isnt showing in the keys DB.so my questions is-

        1. why is that not in the keys table (although it appears to recover fine)
        2. Why are the last update times not updated with the new recovery keys- or if they are what table is this listed in at all. It just appears to be the time it initially created the entry for the machine. Many thanks

      Sign in to comment

    Sign in to answer

    Top Articles
    Latest Posts
    Article information

    Author: Sen. Ignacio Ratke

    Last Updated: 01/06/2023

    Views: 5941

    Rating: 4.6 / 5 (56 voted)

    Reviews: 95% of readers found this page helpful

    Author information

    Name: Sen. Ignacio Ratke

    Birthday: 1999-05-27

    Address: Apt. 171 8116 Bailey Via, Roberthaven, GA 58289

    Phone: +2585395768220

    Job: Lead Liaison

    Hobby: Lockpicking, LARPing, Lego building, Lapidary, Macrame, Book restoration, Bodybuilding

    Introduction: My name is Sen. Ignacio Ratke, I am a adventurous, zealous, outstanding, agreeable, precious, excited, gifted person who loves writing and wants to share my knowledge and understanding with you.