I have found a work around to address the issue, now I can make those machines boot up normal into Windows Ctrl+Alt+Del prompt.
Since the machine only displays 8 chars of recovery id, the first step I will need to get the complete recovery id, I can get the complete recovery id from SEEM SQL database or on the problematic machine itself.
A) Get the recovery key
1) Get the complete recovery id using the query Blake mentioned
select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%' (replace the number of your 8 chars displayed)..
2) Use the complete recovery to retrieve recovery key from SEEM web console.
or from the machine
1) at the recovery mode, choose skip and access to the command prompt.
2) from the command prompt, use Microsoft BitLocker utility to get the complete recovery id
manage-bde -protectors -get c:
on the good machine, you will be able to get the reocvery id and key with the command, but on the problematic machine, you only can get the complete recovery id,
3) use the recovery id to retrieve the recovery key from SEEM web console.
B) Work around
Note: We have the the recovery key, in theory, we should be able to enter it at the recovery mode to unlock the machine, however, it did not work, machine just reboot and return back recovery mode with the same 8 chars displayed. below is the workaround I used to address the issue.
1) At the recovery mode, choose skip and select command prompt in the advanced option.
2) You are at the command prompt of PE environment.
3) Type the following command to unlock the machine
manage-bde -unlock c: -rp <recovery key retrieved from the console>.
You will notice that the successful unlock message,
Please do not reboot, if you reboot now, the machine will boot up with recovery mode again.
4)
Please do not reboot and continue to run another command:
manage-bde -protectors -disable c:
5) Now you can reboot the machine, since it is PE environment, shutdown /r will work, type exit to reboot the machine.
After the machine, it will boot into Windows log on prompt. since -disable default count is one time, so the BitLocker encryption will turn back on automatically after the reboot, now you can use the machine as normal.
------------------------------
MSSYM
------------------------------
Original Message:
Sent: 09-14-2020 06:42 AM
From: Mark Housler
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed
(And I just noticed I wasn't the first one to suggest this lol]
Hello.
Assuming this is like when you use a Recovery flash drive, all you have to do is choose "Skip this drive" which should drop you off at a CMD prompt.
Type manage-bde -protectors -get c: (assuming it's C:\)
This will return the entire Key ID, under "Numerical Password" and then you can recover.
------------------------------
Best regards!
Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed
I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)
It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?
------------------------------
MSSYM
------------------------------