I am attempting to do the same thing. It seems that you can't setup a recovery key if the user that is encrypting the device does not have access to that key. I was hoping to setup a recoery key for admins, as you suggested, so if the user forgets the password or the recovery password or questions, then a admin can recover it with ease.
Unfortunately this does not seem to be the case. If you set the Recovery key as a key that the user who encrypts the data does not have access to, they will get a "Initialization Failed" message when trying to encrypt it. However, I wanted to avoid giving each user a personal key, just to restrict the size of the database and for ease of management.
So, is there any way that we can set a recovery key to something that has not been granted to the user? That would make management and support much simpler.
Do any of the McAfee mods know if this is possible?
I have actually recieved confirmation that the recovery key needs to be assigned to the person initializing the device, it cannot simply just be used for recovery.
However, if you have the Domain Admin Policy setup, the only way I know of is to change the User Personal Key to a Regular key, and assign the regular key to the domain admins policy. That will allow the domain admins to recover the usb stick, and after the recovery is done, they can then assign the regular key back to being a User Personal Key. Not the best option for support, but best for users, as they can just use their key to recover the device without issue if it was themselves who encrypted it.
Also not aware of any utilities that can be used to identify what user personal key was used to encrypt the USB.....so if you have quite a number of users and not sure who encrypted the USB, then it might make it hard to determine which personal key needs to be used for the recovery.
Far from a complete package at this time, but hopefully the next version considers some of these issues. At this time, I can only imagine we have to work within the realms of the capabilities of the software.
Davidbunt is correct. The only way to allow admins to recover media that was encrypted with EERM is to change the key of the person that encrypted the device to a regular key, grant that key to your domain admins and then allow your domain admins to recover the device. This is abridged version of how to complete the task, but is does work and works well.
I think I understand what you guys are doing, but I'm kinda confused where you give the Domain Admins access to do this? Does anybody have the steps used to do this? Thanks so much!