Symantec PGP Encryption

Is it possible to use SEE to manage Bitlocker installations when the machine is in FIPS 140-2 mode on a Windows 10 machine?  We have a ton of SEE licenses so we figured we'd use them, although we don't want any preboot auth on the clients so we figured Bitlocker+TPM made sense.

My client seems to install properly, encrypt the drive and check in with the Management Server but I am unable to use the Web Console to unlock the machine.  It doesn't accept the Recovery ID as valid.

I'm stuck here as I didn't think it would encrypt the machine if it couldn't transmit the recovery password to the Management Server.

Client:  Windows 10 1809 x64, SEE client is 11.3 Build 5887, TPM only, no PIN.

Any help would be appreciated.

Mark Housler

------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
------------------------------

You can see if anything was captured for this client into the database. Check your SEEMSdb in the Computers table for the compID based on computer name, then use the CompID to return any Bitlocker keys it may have, and you can grab the recovery key ID from there and put it into the Help Desk console if it returns anything new.

First:
Select CompID from Computers where CompName = 'NameOfComputer'

Second:
Select RecoveryKeyID from BLRecoveryData where CompID = '#'
(where # is the actual digits returned from the first query)

It should come back with at least one RecoveryKeyID, and perhaps multiple. You should be able to try those IDs in the helpdesk console to hopefully spit out a recovery key for the machine that will work. Let me know what happens.

Out of curiosity, is the recovery screen on the client only spitting out an 8 digit recovery ID?

​
Original Message:
Sent: 09-10-2020 08:07 AM
From: Mark Housler
Subject: SEE 11.3 + Bitlocker + FIPS

Is it possible to use SEE to manage Bitlocker installations when the machine is in FIPS 140-2 mode on a Windows 10 machine?  We have a ton of SEE licenses so we figured we'd use them, although we don't want any preboot auth on the clients so we figured Bitlocker+TPM made sense.

My client seems to install properly, encrypt the drive and check in with the Management Server but I am unable to use the Web Console to unlock the machine.  It doesn't accept the Recovery ID as valid.

I'm stuck here as I didn't think it would encrypt the machine if it couldn't transmit the recovery password to the Management Server.

Client:  Windows 10 1809 x64, SEE client is 11.3 Build 5887, TPM only, no PIN.

Any help would be appreciated.

Mark Housler

------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
------------------------------

Thanks for the reply.  I'm seeing them now.  I don't think it returns a value until the machine finishes encrypting?

I got the whole key ID, not just the first set of characters (which works fine if you use AD of course).


------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
------------------------------

Original Message:
Sent: 09-11-2020 03:53 PM
From: Blake Thomas
Subject: SEE 11.3 + Bitlocker + FIPS

You can see if anything was captured for this client into the database. Check your SEEMSdb in the Computers table for the compID based on computer name, then use the CompID to return any Bitlocker keys it may have, and you can grab the recovery key ID from there and put it into the Help Desk console if it returns anything new.

First:
Select CompID from Computers where CompName = 'NameOfComputer'

Second:
Select RecoveryKeyID from BLRecoveryData where CompID = '#'
(where # is the actual digits returned from the first query)

It should come back with at least one RecoveryKeyID, and perhaps multiple. You should be able to try those IDs in the helpdesk console to hopefully spit out a recovery key for the machine that will work. Let me know what happens.

Out of curiosity, is the recovery screen on the client only spitting out an 8 digit recovery ID?

​
Original Message:
Sent: 09-10-2020 08:07 AM
From: Mark Housler
Subject: SEE 11.3 + Bitlocker + FIPS

Is it possible to use SEE to manage Bitlocker installations when the machine is in FIPS 140-2 mode on a Windows 10 machine?  We have a ton of SEE licenses so we figured we'd use them, although we don't want any preboot auth on the clients so we figured Bitlocker+TPM made sense.

My client seems to install properly, encrypt the drive and check in with the Management Server but I am unable to use the Web Console to unlock the machine.  It doesn't accept the Recovery ID as valid.

I'm stuck here as I didn't think it would encrypt the machine if it couldn't transmit the recovery password to the Management Server.

Client:  Windows 10 1809 x64, SEE client is 11.3 Build 5887, TPM only, no PIN.

Any help would be appreciated.

Mark Housler

------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
------------------------------