Endpoint Encryption

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)
It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

I've seen this before rarely, and we're not sure what causes it (as it's an internal BitLocker behavior and we don't have access to that code), but in my experience the larger value key should be available in the SEE database, you just have to go into SQL to find it manually. I know there are discussions internally about how to best overcome this issue on the SEE side to make it easier to deal with.

There is a table in the SEEMSdb called BLRecoveryData. if you do a search on that partial key you may find the whole key and be able to use it in the SEE recovery console to unlock the machine.

The SQL script would look something like this (assuming a random value of 9827FA32 I'm made up is the 8 digit partial key from a client's screen):

select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%'

I can't guarantee that will work but I have seen it work in the past. Let me know if it helps.
Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

I checked the database based on the CompID and there is only one recovery ID was found.
I ran the query as you suggested, but changed the recoveryID to the one on the computer.
select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
The recoveryID returned, which I had already. so I guessed you wanted me to find recoverykey, therefore I replaced the query with recoverykey
select RecoveryKey from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
well, it returned recovery key, however, it was encrypted string, I might need to decrypt it to convert it to human readable 48 digits. Do you know how to do it?
I had the recoveryID by accessing the command line running Microsoft command line manage-bde to get the reoceryID, I could use the recoveryID to retrieve the recovery key from SEEM recovery web console, the end user tried a few times and the recovery key was not able to unlock the machine. (I am pretty much sure there is no typo as we asked the user to read back to us after we instruct the end user to type the recovery key in.




------------------------------
Morgan Stanley
------------------------------

Original Message:
Sent: 09-02-2020 01:21 PM
From: Blake Thomas
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I've seen this before rarely, and we're not sure what causes it (as it's an internal BitLocker behavior and we don't have access to that code), but in my experience the larger value key should be available in the SEE database, you just have to go into SQL to find it manually. I know there are discussions internally about how to best overcome this issue on the SEE side to make it easier to deal with.

There is a table in the SEEMSdb called BLRecoveryData. if you do a search on that partial key you may find the whole key and be able to use it in the SEE recovery console to unlock the machine.

The SQL script would look something like this (assuming a random value of 9827FA32 I'm made up is the 8 digit partial key from a client's screen):

select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%'

I can't guarantee that will work but I have seen it work in the past. Let me know if it helps.
Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

My original SQL statement stands as the idea was to get the full RecoveryKeyID from the database when the client was only displaying the first 8 characters. Once you had the full key, you would enter it into the SEE Helpdesk Recovery to get the actual Recovery Key to give to the client.

Sounds like you did this though, and are still unable to unlock the machine. That's not good. It could be that another key was generated on the client but never made its way upto the SEE server. I will think on this a bit and hopefully get back to you shortly.
Original Message:
Sent: 09-04-2020 11:33 AM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I checked the database based on the CompID and there is only one recovery ID was found.
I ran the query as you suggested, but changed the recoveryID to the one on the computer.
select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
The recoveryID returned, which I had already. so I guessed you wanted me to find recoverykey, therefore I replaced the query with recoverykey
select RecoveryKey from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
well, it returned recovery key, however, it was encrypted string, I might need to decrypt it to convert it to human readable 48 digits. Do you know how to do it?
I had the recoveryID by accessing the command line running Microsoft command line manage-bde to get the reoceryID, I could use the recoveryID to retrieve the recovery key from SEEM recovery web console, the end user tried a few times and the recovery key was not able to unlock the machine. (I am pretty much sure there is no typo as we asked the user to read back to us after we instruct the end user to type the recovery key in.




------------------------------
Morgan Stanley

Original Message:
Sent: 09-02-2020 01:21 PM
From: Blake Thomas
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I've seen this before rarely, and we're not sure what causes it (as it's an internal BitLocker behavior and we don't have access to that code), but in my experience the larger value key should be available in the SEE database, you just have to go into SQL to find it manually. I know there are discussions internally about how to best overcome this issue on the SEE side to make it easier to deal with.

There is a table in the SEEMSdb called BLRecoveryData. if you do a search on that partial key you may find the whole key and be able to use it in the SEE recovery console to unlock the machine.

The SQL script would look something like this (assuming a random value of 9827FA32 I'm made up is the 8 digit partial key from a client's screen):

select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%'

I can't guarantee that will work but I have seen it work in the past. Let me know if it helps.
Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

From the recovery mode display, click on skip and few options showed up, command prompt is one of the option and we could run some native Microsoft bitlocker command to get the recovery id.
manage-bde -protectors -get c:
it would display the recovery id, well, when a normal machine, when I ran that command, I would get both recovery id and recovery key, but on that machine boot up with recovery mode, I only could see recovery id.

------------------------------
Morgan Stanley
------------------------------

Original Message:
Sent: 09-04-2020 12:06 PM
From: Blake Thomas
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

My original SQL statement stands as the idea was to get the full RecoveryKeyID from the database when the client was only displaying the first 8 characters. Once you had the full key, you would enter it into the SEE Helpdesk Recovery to get the actual Recovery Key to give to the client.

Sounds like you did this though, and are still unable to unlock the machine. That's not good. It could be that another key was generated on the client but never made its way upto the SEE server. I will think on this a bit and hopefully get back to you shortly.
Original Message:
Sent: 09-04-2020 11:33 AM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I checked the database based on the CompID and there is only one recovery ID was found.
I ran the query as you suggested, but changed the recoveryID to the one on the computer.
select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
The recoveryID returned, which I had already. so I guessed you wanted me to find recoverykey, therefore I replaced the query with recoverykey
select RecoveryKey from BLRecoveryData where RecoveryKeyID like '9887A3BB%'
well, it returned recovery key, however, it was encrypted string, I might need to decrypt it to convert it to human readable 48 digits. Do you know how to do it?
I had the recoveryID by accessing the command line running Microsoft command line manage-bde to get the reoceryID, I could use the recoveryID to retrieve the recovery key from SEEM recovery web console, the end user tried a few times and the recovery key was not able to unlock the machine. (I am pretty much sure there is no typo as we asked the user to read back to us after we instruct the end user to type the recovery key in.




------------------------------
Morgan Stanley

Original Message:
Sent: 09-02-2020 01:21 PM
From: Blake Thomas
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I've seen this before rarely, and we're not sure what causes it (as it's an internal BitLocker behavior and we don't have access to that code), but in my experience the larger value key should be available in the SEE database, you just have to go into SQL to find it manually. I know there are discussions internally about how to best overcome this issue on the SEE side to make it easier to deal with.

There is a table in the SEEMSdb called BLRecoveryData. if you do a search on that partial key you may find the whole key and be able to use it in the SEE recovery console to unlock the machine.

The SQL script would look something like this (assuming a random value of 9827FA32 I'm made up is the 8 digit partial key from a client's screen):

select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%'

I can't guarantee that will work but I have seen it work in the past. Let me know if it helps.
Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

(And I just noticed I wasn't the first one to suggest this lol]

Hello.

Assuming this is like when you use a Recovery flash drive, all you have to do is choose "Skip this drive" which should drop you off at a CMD prompt.

Type manage-bde -protectors -get c: (assuming it's C:\)

This will return the entire Key ID, under "Numerical Password" and then you can recover.


------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com
------------------------------

Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------

I have found a work around to address the issue, now I can make those machines boot up normal into Windows Ctrl+Alt+Del prompt.
Since the machine only displays 8 chars of recovery id, the first step I will need to get the complete recovery id, I can get the complete recovery id from SEEM SQL database or on the problematic machine itself.
A) Get the recovery key
1) Get the complete recovery id using the query Blake mentioned 
select RecoveryKeyID from BLRecoveryData where RecoveryKeyID like '9827FA32%' (replace the number of your 8 chars displayed)..
2) Use the complete recovery to retrieve recovery key from SEEM web console.
or from the machine
1) at the recovery mode, choose skip and access to the command prompt.
2) from the command prompt, use Microsoft BitLocker utility to get the complete recovery id
manage-bde -protectors -get c:
on the good machine, you will be able to get the reocvery id and key with the command, but on the problematic machine, you only can get the complete recovery id,
3) use the recovery id to retrieve the recovery key from SEEM web console.
B) Work around
Note: We have the the recovery key, in theory, we should be able to enter it at the recovery mode to unlock the machine, however, it did not work, machine just reboot and return back recovery mode with the same 8 chars displayed. below is the workaround I used to address the issue.
1) At the recovery mode, choose skip and select command prompt in the advanced option.
2) You are at the command prompt of PE environment.
3) Type the following command to unlock the machine
manage-bde -unlock c: -rp <recovery key retrieved from the console>.
You will notice that the successful unlock message, 
Please do not reboot, if you reboot now, the machine will boot up with recovery mode again.
4) Please do not reboot and continue to run another command:
manage-bde -protectors -disable c:
5) Now you can reboot the machine, since it is PE environment, shutdown /r will work, type exit to reboot the machine.
After the machine, it will boot into Windows log on prompt. since -disable default count is one time, so the BitLocker encryption will turn back on automatically after the reboot, now you can use the machine as normal. 



------------------------------
MSSYM
------------------------------

Original Message:
Sent: 09-14-2020 06:42 AM
From: Mark Housler
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

(And I just noticed I wasn't the first one to suggest this lol]

Hello.

Assuming this is like when you use a Recovery flash drive, all you have to do is choose "Skip this drive" which should drop you off at a CMD prompt.

Type manage-bde -protectors -get c: (assuming it's C:\)

This will return the entire Key ID, under "Numerical Password" and then you can recover.


------------------------------
Best regards!

Mark Housler
Help Desk Manager
GD NASSCO-Norfolk
mhousler@nassconorfolk.com

Original Message:
Sent: 08-31-2020 05:58 PM
From: Hogan Chen
Subject: SEE for BitLocker client boot into recovery mode without recovery ID displayed

I use Symantec Endpoint Encryption for BitLocker to manage BitLocker encryption on Windows 10 computers, the machines is configured to lock out 40 days not communicate with the management server, it has been working great, recently I noticed that there were two machines locked out and booted into recovery mode, however, the screen did not have recovery ID displayed (see the screen shot below)

It might not be SEE issue, but just wonder if anyone else use SEE for BitLocker and see the issue before?

------------------------------
MSSYM
------------------------------