but the point is we use both so the end user has to enter them twice, we want to preload the local recovery info and are asking for an api to enable this...
you should really be using different details for both - you don't want administrators being able to see personal information about the user. A classic example is SSN - there's zero reason for an administrator or a helpdesk person to know or see this, but it's a perfect question for the local recovery option.
regardless though, there are no plans to expose the local recovery questions through an api - they can only be set in the pre-boot by the user for securty reasons.
what is SSN?
we tailor our questions so they are not a security risk to the user, what was the licence plate of your first car is hardly a problem etc.
Maybe here's the way to look at this: think of a Q/A pair as a password. Now create an API to set that password just like the API you already offer to set the password token. The API can't read what that password is, but it can set it. That's what we're asking for. We already have all our users' Q/A pairs (stored safely away from prying eyes BTW) in our Identity Management System--we just want a way to leverage that so users don't have to maintain multiple Q/A sets. And yes, we have separate Q/A sets: one for help desk assistance and one for user self-service, and never the two sets shall meet.
Sorry Courtney, but no such luck. As you can see from SafeBoot's response, they don't get it but have decided they do. After my original post I waited like 3 months for the FMR form to work then gave up. I tried explaining the circumstance to someone at a McAfee Focus conference once and quickly realized this functionality contradicted that group's world view. At that point I gave up for good since it became obvious it would go nowhere. If anyone from McAfee is actually interested in hearing more PM me and ask me to fill out the FMR.