I really like storing the Encryption key within AD. But customers, in the past have opted not to use it in their MBAM setups. This is because they didn’t have the greatest management of their environment in place, there were quite a number of Domain Admins in the company, all of whom could easily access the keys if they so chose to. It would be as simple as getting the Bitlocker Key Viewer that’s a part of RSAT and browsing to the Computer Object. Well, if you find yourself in this scenario and you want a quick way to retrieve keys, you can just run a query on the Database.
You’ll want to navigate to the Hardware and Recovery Database and query the RecoveryandHardwareCore.Keys table
SELECT TOP 1000 [Id]
,[LastUpdateTime]
,[VolumeId]
,[RecoveryKeyId]
,[RecoveryKey]
,[Disclosed]
FROM [MBAM Recovery and Hardware].[RecoveryandHardwareCore].[Keys]
Will list the keys.
