I have read through the best practices guide for the EERM with EEFF 4.0.1 with EPO 4.6. I was hoping that I could allow the users to have two recovery options for Removable Media, a Recovery Password and Recovery Questions. Then I was going to have a Recovery Key option, but have a generic Support Admin key as the recovery key, so if the user cannot recover with the other two options, then they can call the Servicedesk, who would recover the data for them.
Unfortunately, I have found that you cannot have a recovery key set in the "Removable Media" policy, that is not assigned to a user or system via the "Grant Keys" policy. This either means that I have to assign the users or their machines the Admin recovery key, so they can encrypt the USB with that, or else they get a "Initialization Failed" when trying to encrypt the USB. Granting them the key ruins the whole premise of having a single Recovery Admin key, as ALL users would then have this key and be able to recover ANY of the usb devices encrypted in the company.
Alternatively, I could go to Personal Key option, and use the User Personal Key as the recovery key. This in itself makes it easier for the user to recover their device, but makes support take more time, as you need to change a user personal key to a regular key, assign the regular key to the admin, and then recover the device. This is assuming the level 1 support has access to the EPO to change the keys. The second issue with this is, if you are given a key to recover that was encrypted by your company, but you are not aware of who encrypted it, there is no way that I have found to discover who encrypted the USB key. And if you have a large organisation with personal keys, you could have a large amount of personal keys to sift through.
Can anyone tell me if it is possible to have a single recovery key that is not assigned to the user or their computer, and still be able to encrypt the USB device? Alternatively, does anyone know how to find out who/what key was used to encrypt a USB device?