BitLocker Recovery Key Retrieval Failures

You may see clients returning a status where the EMU Server fails to retrieve recovery keys.  Troubleshooting depends on your environment.  Scenarios are outlined below:

  1. You are using ConfigMgr to store recovery keys:
    1. In this case, you will need to verify that the EMU Server Service Account has Execute permission on the RecoveryAndHardwareCore.DecryptString Scalar function in the ConfigMgr Database.  You can do that directly via SQL or via SQL Server Management Studio's GUI:
      1. GRANT EXECUTE ON RecoveryAndHardwareCore.DecryptString TO [FOONET\EMU-Server]
      2. SSMS GUI: 
  2. You are using Standalone MBAM to store your recovery keys:
    1. In this scenario, you will not run into the issue as EMU will simply provide the EMU user the Volume's KeyID and open the MBAM recovery page for them to use to retrieve the Recovery Key.
  3. You are using Intune to store your recovery keys:
    1. Coming Soon.
  4. You are using a third-party disk encryption solution:
    1. Coming Soon.