Missing Recovery Keys

[htxitc]

I subscribed and installed BitLocker for Automate a couple of days ago. Some observations:

*When opening the Automate Client properties and selecting the BitLocker tab, it takes about 10 minutes to list all of the BitLocker Compatible Agents. There are approximately 760 computers under this particular client

*In the BitLocker Manager dashboard, it shows that 231 Agent Using BitLocker, but which computers are using it, and more importantly, which ones are not using it?

*Perhaps I need to let it "do its thing" for a while longer, but I am not seeing any BitLocker recovery keys being imported into the console

If anyone has any suggestions on where to look, what to check, please let me know. Seems like something is not quite working the way it is supposed to here

Thanks!

[Cubert]

There are is one query to collect all the agents

Code: Select all

SELECT ComputerID as ID ,Name, '0' as img FROM computers WHERE OS like '%Windows%' and ClientID = '{0}' ORDER BY Name

and 1 query per agent ID from above query to collect drive information.

Code: Select all

SELECT d. DriveID as ID,ConCat('',d.Letter,': - ',d.Model, '  Drive Size (',d.Size,'MB)') as Name, IF((v.ProtectionStatus = 'On'),'1','2') As img FROM drives d LEFT JOIN plugin_p4a_bitlocker_volumes v ON d.ComputerID = v.ComputerID and d.letter = v.MountPoint WHERE d.FileSystem = 'NTFS' and d.ComputerID ='YourComputerIDHere' ORDER BY d.letter

so if you have 750 agents under a single client you can expect to see 751 SQL queries to complete the loading of the console. This may take some time to complete the looping and to finish the drive menu view.

There are some Key Protectors that do not generate Keys but use TPM only which is the KEY.


The image below shows that if you select an agent it will expand and should show you gold or silver drives. Gold drives are secured (encrypted). To the right if you select the encrypted drive it will display the key protectors it sees on agent. If it is using TPM only then there is no key as the key is the hardware setup and not a physical number.

BL-1.png (51.76 KiB) Viewed 7005 times

[Cubert]

Also we found a small bug with the auto update function that is fixed in 1.0.0.9 along with some people reporting lock images not showing up on agent drives.. This should fix that as well.

So manually update to 1.0.0.9 will resolve any further manual updates.

[Cubert]

Also if you only select the agent and do not select a drive it should report on how many drives are encrypted on agent.

BL-2.png (55.25 KiB) Viewed 7005 times

[htxitc]

Hello Cubert,

Thank you for the response and details, really do appreciate it! I updated Bitlocker for Automate to version 1.0.0.9 a couple of hours ago, as you suggested. I also had CW Automate support reboot my server and clear some cache, it is running much faster now and the Bitlocker tab loads in a little over a minute (I'm good with that).


In regards to Bitlocker and its use of the TPM to generate and securely store a recovery key, my understanding is that as long as there are no sort of boot-up/ hardware/ software/ OS changes with the computer, the computer boot-up process and access to the encrypted drive is transparent and seamless from the end-user perspective (sounds like the recovery key is fetched from the TPM during boot). However, if for some legitimate reason, something changes with the computer, the user will likely need to use a Bitlocker recovery key as a failsafe to access encrypted volume data. How can we use Bitlocker for Automate to store that recovery key in Automate - this is something of a "Break Glass in Event of Emergency"

Key Used Only When Boot Measurements are Accurate
https://docs.microsoft.com/en-us/window ... es-the-tpm


Interesting you mentioned the lock images, I am also experiencing that even after the 1.0.0.9 update. I select several agents without selecting the drive and can see that there are encrypted volumes. However, I don't see a gold lock or anything where the recovery key is suppose to populate. I'll keep an eye on it for next 24-48 hours and see if something changes. However, if there is anything you would like me to check or send you, please let me know.

I have images, but not sure how to include them in this posting

[htxitc]

Cubert,

Also, forgot to mention that there a lot of agents reporting encrypted volumes, however none of them are displaying the gold lock image indicating encrypted status and no information is being populated for protector/ recovery key information. This includes encryption using TPM. -Thanks!

[Cubert]

Just for shits and giggles, did you restart your Control Center? Launched as Administrator afterwards and logged back in? Just to make sure the local ControlCenter DLL was updated as well as the Automate host?


Next, TPM.

BL-4.png (6.39 KiB) Viewed 6990 times

You can TPM or TPM with code or both. If a probe of a encrypted agent has a key for an key protector then our plugin should pick it up and display it. See image below.

BL-3.png (36 KiB) Viewed 6990 times