Missing Recovery Keys

This forum is used to support the BitLocker for Automate plugin. You will find documentation on the plugin as well as an area to post issues and requests. Please post
Post Reply
htxitc
Posts: 3
Joined: Tue Apr 19, 2022 9:58 pm
1

Missing Recovery Keys

Post by htxitc »

I subscribed and installed BitLocker for Automate a couple of days ago. Some observations:

*When opening the Automate Client properties and selecting the BitLocker tab, it takes about 10 minutes to list all of the BitLocker Compatible Agents. There are approximately 760 computers under this particular client

*In the BitLocker Manager dashboard, it shows that 231 Agent Using BitLocker, but which computers are using it, and more importantly, which ones are not using it?

*Perhaps I need to let it "do its thing" for a while longer, but I am not seeing any BitLocker recovery keys being imported into the console

If anyone has any suggestions on where to look, what to check, please let me know. Seems like something is not quite working the way it is supposed to here :(

Thanks!

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Missing Recovery Keys

Post by Cubert »

There are is one query to collect all the agents

Code: Select all

SELECT ComputerID as ID ,Name, '0' as img FROM computers WHERE OS like '%Windows%' and ClientID = '{0}' ORDER BY Name

and 1 query per agent ID from above query to collect drive information.

Code: Select all

SELECT d. DriveID as ID,ConCat('',d.Letter,': - ',d.Model, '  Drive Size (',d.Size,'MB)') as Name, IF((v.ProtectionStatus = 'On'),'1','2') As img FROM drives d LEFT JOIN plugin_p4a_bitlocker_volumes v ON d.ComputerID = v.ComputerID and d.letter = v.MountPoint WHERE d.FileSystem = 'NTFS' and d.ComputerID ='YourComputerIDHere' ORDER BY d.letter
so if you have 750 agents under a single client you can expect to see 751 SQL queries to complete the loading of the console. This may take some time to complete the looping and to finish the drive menu view.

There are some Key Protectors that do not generate Keys but use TPM only which is the KEY.


The image below shows that if you select an agent it will expand and should show you gold or silver drives. Gold drives are secured (encrypted). To the right if you select the encrypted drive it will display the key protectors it sees on agent. If it is using TPM only then there is no key as the key is the hardware setup and not a physical number.
BL-1.png
BL-1.png (51.76 KiB) Viewed 2052 times

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Missing Recovery Keys

Post by Cubert »

Also we found a small bug with the auto update function that is fixed in 1.0.0.9 along with some people reporting lock images not showing up on agent drives.. This should fix that as well.

So manually update to 1.0.0.9 will resolve any further manual updates.

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Missing Recovery Keys

Post by Cubert »

Also if you only select the agent and do not select a drive it should report on how many drives are encrypted on agent.


BL-2.png
BL-2.png (55.25 KiB) Viewed 2052 times

htxitc
Posts: 3
Joined: Tue Apr 19, 2022 9:58 pm
1

Re: Missing Recovery Keys

Post by htxitc »

Hello Cubert,

Thank you for the response and details, really do appreciate it! I updated Bitlocker for Automate to version 1.0.0.9 a couple of hours ago, as you suggested. I also had CW Automate support reboot my server and clear some cache, it is running much faster now and the Bitlocker tab loads in a little over a minute (I'm good with that).


In regards to Bitlocker and its use of the TPM to generate and securely store a recovery key, my understanding is that as long as there are no sort of boot-up/ hardware/ software/ OS changes with the computer, the computer boot-up process and access to the encrypted drive is transparent and seamless from the end-user perspective (sounds like the recovery key is fetched from the TPM during boot). However, if for some legitimate reason, something changes with the computer, the user will likely need to use a Bitlocker recovery key as a failsafe to access encrypted volume data. How can we use Bitlocker for Automate to store that recovery key in Automate - this is something of a "Break Glass in Event of Emergency"

Key Used Only When Boot Measurements are Accurate
https://docs.microsoft.com/en-us/window ... es-the-tpm


Interesting you mentioned the lock images, I am also experiencing that even after the 1.0.0.9 update. I select several agents without selecting the drive and can see that there are encrypted volumes. However, I don't see a gold lock or anything where the recovery key is suppose to populate. I'll keep an eye on it for next 24-48 hours and see if something changes. However, if there is anything you would like me to check or send you, please let me know.

I have images, but not sure how to include them in this posting :(

htxitc
Posts: 3
Joined: Tue Apr 19, 2022 9:58 pm
1

Re: Missing Recovery Keys

Post by htxitc »

Cubert,

Also, forgot to mention that there a lot of agents reporting encrypted volumes, however none of them are displaying the gold lock image indicating encrypted status and no information is being populated for protector/ recovery key information. This includes encryption using TPM. -Thanks!

User avatar
Cubert
Posts: 2430
Joined: Tue Dec 29, 2015 7:57 pm
8
Contact:

Re: Missing Recovery Keys

Post by Cubert »

Just for shits and giggles, did you restart your Control Center? Launched as Administrator afterwards and logged back in? Just to make sure the local ControlCenter DLL was updated as well as the Automate host?


Next, TPM.

BL-4.png
BL-4.png (6.39 KiB) Viewed 2037 times

You can TPM or TPM with code or both. If a probe of a encrypted agent has a key for an key protector then our plugin should pick it up and display it. See image below.



BL-3.png
BL-3.png (36 KiB) Viewed 2037 times

Post Reply

Return to “BitLocker for Automate”