Once you change the Personal Recovery key to a "Regular key", you then need to assign that key via the "Grant Keys" policy to whoever you want to recover the device's data. So you could have a seperate "grant keys" policy that is assigned as a UBP (User Based Policy....assigned via the Policy Assignment Rules), that targets only a support account or members of a support admin AD group. And then in this policy, have the personal key that is now a regular key, assigned to these admin support users, and they should be able to recover and change the password on the USB.
The issue I have been having is that, if you have a USB you need to recover, but you don't know who encrypted it, then you could have some trouble finding the right personal key to assign to this support group for the recovery.
Hope that helps.
Thank you David,
the problematic user key has been turned to regular key and assigned via UBP to the admin person who should recover the device's data. Still admin person gets "Failed to authenticate!" when trying to recover.
Admin user can see from his EEFF console in available keys section two keys, but none of those is actually problematic user key, even it is granted to admin user.
Removable media policy sets "Use recovery key: User Personal Key" and "Allow Recovery Password" for everyone.
What else can be wrong with policies?
If you are certain that the Policy is targeting the admin via UBP, then I can only suggest that the Policy is not updating on the Admin's workstation properly. Maybe have it do a forced "Collect and Send Props" from the agent monitor in the Agent Icon?
Double check the policy assignments are targeting the Admin user or his workstation properly, force a policy and task update through the agent and check the EEFF status and see if the key is there.
Sorry I can't be more help, but I hope it works.