5 Replies Latest reply on Jan 25, 2017 12:00 AM by web1b

    Management Of Native Encryption Bitlocker Recovery

    web1b

      Can Bitlocker recovery keys be accessible in both ePO and from AD at the same time?

        • 1. Re: Management Of Native Encryption Bitlocker Recovery
          hhoang

          Technically, that would be redundant but yes it would be possible.  MNE is designed to automatically backup the keys to the EPO database.  Conversely, Bitlocker can also be configured with GPO to automatically backup keys to AD.  If both are enabled at the same time then you may see some adverse affects.  If you would like to backup keys to AD also you should be able to do that through the Bitlocker API. 

           

          i.e. manage-bde -protectors -adbackup <volume> <protector ID>

           

          You can get the key ID from the following command: manage-bde -protectors -get <volume>

          • 2. Re: Management Of Native Encryption Bitlocker Recovery
            web1b

            We need some way to be able to access recovery keys if the ePO server is down so we don't have to wait for the ePO server to become available again in order to access the recovery keys.

            What are the best options for this?

            Is backing up Bitlocker keys to AD the only method for redundancy and how would we automate it so rotating keys are immediately backed up to AD?

            • 3. Re: Management Of Native Encryption Bitlocker Recovery
              hhoang

              I could not comment on best practice with AD.  If you are looking for redundancy with EPO you may want to look into clustering - though if that is the case it will require a new install of EPO which may or may not be viable for you. 

              • 4. Re: Management Of Native Encryption Bitlocker Recovery
                web1b

                It's not full ePO redundancy I'm asking about. A cluster wont help if ePO database isn't accessible. 

                We just need a backup method to access up to date Bitlocker recovery keys so we are not locked out if ePO is down.

                • 5. Re: Management Of Native Encryption Bitlocker Recovery
                  web1b

                  Can you be more specific as to what adverse affects there could be with having the Bitlocker recovery keys available in both ePO and AD at the same time?

                  With MDE, if ePO become inaccessible and TPM fails, there is still the possibility of recovery via administrator group user credentials or Question and Answer recovery if the user doesn't know their current EE user password, but  remembers their security questions.

                  With MNE, everyone will be locked out of the system if there is no access to the current recovery key.  This could be permanent if the latest Bitlocker  recovery key isn't in the last ePO database backup.  This seems dangerous to rely soley on ePO being always available.

                  We want to be able to have the ability to get recovery keys out of AD as a backup if ePO goes down for any reason.

                  Is there any way to regularly backup Bitlocker recovery keys outside of the ePO database so locked out users don't have to wait for an ePO server rebuild and database restore to get back into their workstations?