2 Replies Latest reply on Jun 22, 2016 6:06 AM by davei

    Old MDE Active systems in ePO System Tree

    davei

      Hi

       

      Sorry if this has been asked before, I've searched the forum and drawn a blank.

       

      We have a number of MDE-encrypted devices.

       

      Some devices sit in drawers for months on end, some leave the network and never contact an Agent Handler ever again - or might pop up in 18mths time when Jonny User decides he fancies the free Windows 10 upgrade he saw on the TV.........................

       

      So in ePO we run Inactive Agent cleanup tasks to trim our devices as we have high churn rate (an acquisition-happy company).  I have been caught out a number of years ago where PBFS corrupts and device won't boot, but system is no longer in EPO so I can't export the key for use in EETech.  That was a bad day.  So at the moment I have just been excluding devices with MDE state of 'Active' from the cleanup tasks, but I still have hundreds of 'MDE-Active' systems that have not contacted ePO for 1yr +.

       

      I'm using ePO 531 and MDE 7.1+.  If a system which has an MDE machine key associated with it is deleted, is the key deleted?  What happens if the system reappears in 6 months time and re-contacts ePO?

       

      How do others handle this situation?

       

      To retain the key, do I need to leave the old 'Active' device in the System Tree until we know we have reimaged\disposed of it, and just deal with the bloat?

       

      Thanks.

       

      Dave

        • 1. Re: Old MDE Active systems in ePO System Tree
          tomz2

          Dave,

           

          If the system is no longer in ePO, you can recover the key using the DETech tool and the Key Check Value that DETech provides. Once you have the DETech Key Check Value, you can from the System Tree go to Actions > Drive Encryption > Export recovery information based on keycheck (the wording may be slightly different). From that screen, you would input the key check value, and then ePO will give you an XML token that can be used to unlock the drive.

           

          I'd recommend testing this out and see if it would be appropriate for your environment.

          • 2. Re: Old MDE Active systems in ePO System Tree
            davei

            Very interesting thanks.

             

            I should have RTFM'd....