Retrieve the User State Recovery Key

Posted On 14 December 2018

Hi,

SCCM allows through task sequences to save and restore the user state during a migration or a refresh of a device.

It is possible that during the restoration the key will be lost because the computer association will no longer be visible. This happens because of a change of the ResourceID.

It then becomes impossible to get that key back to allow us to decrypt the backup archive (.MIG file), neither by using the console, nor a SQL query.

the only way is through PowerShell.

The script that I have realised will allow to get back the list of all computer associations, including Source ResourceID, destination ResourceID, path to the backup archive on the SMP and the user state recovery key.  Replace the Site_XXX with your sitename (but keep the Site_).

The result will then be stored in a .CSV file with today’s date.

$requete="SELECT SourceClientResourceID, RestoreClientResourceID, StorePath FROM SMS_StateMigration"
$result = Get-WmiObject -Namespace "root\SMS\Site_XXX" -Query $requete

$tableauExport = @()

Foreach($row in $result){
    $Query = "select * from SMS_StateMigration where SourceClientResourceID=" + $row.SourceClientResourceID + " and RestoreClientResourceID=" + $row.RestoreClientResourceID
    $pStateMigration = Get-WmiObject -Namespace "root\SMS\Site_XXX" -Query $Query
    $key=$pStateMigration.GetEncryptDecryptKey()
    write-host "Poste source :" + $row.SourceClientResourceID + "=====> Poste cible "+ $row.RestoreClientResourceID
    write-host "Clé = " $key.key
    write-host "Path = "$row.StorePath
    write-host " "
    $ligne = New-Object System.Object
    $ligne | Add-Member -MemberType NoteProperty -Name "Poste Source" -value $row.SourceClientResourceID
    $ligne | Add-Member -MemberType NoteProperty -Name "Poste Destination" -value $row.RestoreclientResourceID
    $ligne | Add-Member -MemberType NoteProperty -Name "Path" -value $row.StorePath
    $ligne | Add-Member -MemberType NoteProperty -Name "Key" -value $key.key

    $tableauExport+= $ligne    
}

$Date = Get-Date -UFormat '%d_%m_%Y'
$FileName = "C:\temp\export_cles_recovery_"+$Date+".csv" 
$tableauExport | Export-Csv -NoTypeInformation -Path $fileName -Delimiter ";"

Then, go back to your SCCM server in :

C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool\amd64\

(The path may change depending on the ADK version)

And launch one of the followings :


usmtutils /extract \\le_path_vers_le_mig  C:\temp\dossier_de_destination /decrypt /key:la_cle


loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"

For your information, the path leads to the folder, so you have to mention the name of the MIG file.
By default, it’s called USMT.mig

Here are links to know more about both the commands :

Usmtutils : https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-utilities

Loadstate : https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-loadstate-syntax

Hope you enjoyed this article and that it will be useful for you.

Cet article vous a plu ? N'hésitez pas à le partager.
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Related Posts

About The Author

Walid Rahoui

I am a Premier Field Engineer at Microsoft France. I focus on Modern Workplace technologies such as SCCM, Intune, Autopilot and the EMS different security bricks.

Add a Comment

Your email address will not be published. Required fields are marked *