Notification

Icon
Error

Bitlocker Encryption Recovery Key no information found - Bitlocker Encryption Recovery Key no information found

Posted: Monday, September 9, 2019 12:05:39 PM(UTC)
Ian

Ian

Member Original PosterPosts: 4
0
Like
Hi All,

I have updated to Lansweeper v.7.2.100.20 hoping to view Bitlocker Recovery keys but I am getting no information found on the Recovery Keys page.

Encryptable volumes shows the C drive as Protection status On. I have granted the account Lansweeper uses access to the Bitlocker keys in active directory and confirmed my Lansweeper user has the correct permission to view Bitlocker keys in Lansweeper.

Any ideas on what to check or what I am missing?
RKCar
#1RKCar Member Posts: 36  
posted: 9/9/2019 2:40:32 PM(UTC)
Have you performed a full AD scan since making the change? That's what I did and my BitLocker keys populated as the scan progressed.
OCESJF
#2OCESJF Member Posts: 8  
posted: 9/10/2019 4:58:38 PM(UTC)
where are you able to see the bitlocker keys info for each computer??

also I only found to see if is enabled or not under Config>Windows>Encriptable volume when I see the computer that I want to check
RKCar
#3RKCar Member Posts: 36  
posted: 9/10/2019 6:12:24 PM(UTC)
When viewing an individual machine - Config>Windows>BitLocker Encryption>Recovery Keys
Report Name - Computer: BitLocker recovery keys found in AD
OCESJF
#4OCESJF Member Posts: 8  
posted: 9/11/2019 4:13:07 PM(UTC)
Originally Posted by: RKCar Go to Quoted Post
When viewing an individual machine - Config>Windows>BitLocker Encryption>Recovery Keys
Report Name - Computer: BitLocker recovery keys found in AD



By the way I see a report "Computer: BitLocker recovery keys found in AD

but after scan AD there is no info to show on the report.

I´m able to read the AD with the same credentials that I use to scan with Lansweeper....

should we configure something in particular?
RKCar
#5RKCar Member Posts: 36  
posted: 9/11/2019 4:37:50 PM(UTC)
If you scan an individual device and then check the device, does it populate?

Also just to make sure, you are storing your BitLocker keys in AD already, correct?
Stephane
#6Stephane Member Posts: 3  
posted: 9/19/2019 3:00:16 PM(UTC)
The recovery keys are showing within my AD computer accounts, but the the discovery of new ones from the AD doesn't seems to happen. How do we force the Encryption recovery key to be scanned ? I've tried to launch the AD scan from Domain, but that didn't update the record, who is still dated 2 weeks ago.
Ian
#7Ian Member Original PosterPosts: 4  
posted: 9/19/2019 3:50:39 PM(UTC)
Hi Guys,

BitLocker keys have started appearing for computers in Lansweeper. Not sure what triggered it. I did add a active directory domain as a scanning target but prior to that I already had ip range scans, active directory computer path & active directory user.
Stephane
#8Stephane Member Posts: 3  
posted: 9/19/2019 5:15:25 PM(UTC)
Hi, same here.. restarted the Lansweeper service and then newer computers became populated. Created a quick report to see which computers had Encryption enabled, and recovery key missing, some do have they key in AD.

Select Top 1000000 Case
When Coalesce(tblAssets.OScode, '') = '' And tblAssets.Assettype = -1 Then
'notscanned.png'
When tblAssets.Assettype = -1 Then tsysOS.Image
Else tsysAssetTypes.AssetTypeIcon10
End As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblADComputers.IsEnabled As Enabled,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.OScode + '.' + tblAssets.BuildNumber As Build,
tblAssets.Version As [OS Version],
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssetCustom.Location,
tsysIPLocations.IPLocation,
tblAssets.Firstseen,
tblAssets.Lastseen
From tblAssets
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblEncryptableVolume On
tblAssets.AssetID = tblEncryptableVolume.AssetId
Left Outer Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Outer Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where (tsysOS.OSname = 'Win 10' Or tsysOS.OSname = 'Win 7') And
tsysOS.OSname Not Like 'Win 2%' And tblAssets.Lastseen > GetDate() - 60 And
tblAssetCustom.State = 1 And tblADComputers.ADObjectID Not In (Select
tblBitLockerRecoveryKey.AdObjectId
From tblBitLockerRecoveryKey) And tblEncryptableVolume.DriveLetter = 'C:'
And tblEncryptableVolume.ProtectionStatus = 1
Order By tblAssets.AssetName
Esben.D
#9Esben.D Member Administration Posts: 1,877  
posted: 9/20/2019 11:56:30 AM(UTC)
Some more info that might be useful. Bitcloker drive encryption information is scanned from WMI, while the BitLocker recovery key is scanned from AD. Since these are seperate sources, this also means that from a data standpoint, these two are completely seperate.

If your AD data isn't updating, check your server options within Lansweeper and make sure that "Refresh Active Directory computer details (OU,description,... )" is enabled under Asset Cleanup Options
Stephane
#10Stephane Member Posts: 3  
posted: 9/20/2019 2:26:19 PM(UTC)
Hi, I do see recovery keys for most of the computers, but some that were done in the last couple of days won't show up. It could take days before Lansweeper integrate them. I've launch the manual scan on the device, but AD keys are stored within AD, not in the computer info. I would like to force the AD discovery for a specific computer ?
Esben.D
#11Esben.D Member Administration Posts: 1,877  
posted: 9/24/2019 4:28:10 PM(UTC)
Originally Posted by: Stephane Go to Quoted Post
Hi, I do see recovery keys for most of the computers, but some that were done in the last couple of days won't show up. It could take days before Lansweeper integrate them. I've launch the manual scan on the device, but AD keys are stored within AD, not in the computer info. I would like to force the AD discovery for a specific computer ?


What you could do is lower the minimal time between scans for AD computers if you really need the data quickly (you can always revert it later)

In the Scanning tab (below the exclusions) the AD scanning options allow you to choose how frequently an AD computer is scanned regardless of number of logons onto the DC. By default, an AD scan will only be done if the logon onto the DC was more that 20h ago.

So you could change the minimum time to like an hour and make sure that the computers DC logon happens again.

Active Discussions

Lansweeper Personalize interface user ticket
by  Brighton   Go to last post Go to first unread
Last post: Today at 9:31:34 PM(UTC)
Lansweeper Update dashboard defaulting to Helpdesk
by  nriddick  
Go to last post Go to first unread
Last post: Today at 9:22:18 PM(UTC)
Lansweeper Exchange Mailbox Usage
by  nhouse24   Go to last post Go to first unread
Last post: Today at 8:26:43 PM(UTC)
Lansweeper Change Management : Creating new Events type
by  Hugo Lynch  
Go to last post Go to first unread
Last post: Today at 8:05:34 PM(UTC)
Lansweeper Linked Tickets - Helpdesk Workflow/Subordinate Tickets
by  Argon0   Go to last post Go to first unread
Last post: Today at 5:22:27 PM(UTC)
Lansweeper SCCM Scanning Failure
by  wanduster  
Go to last post Go to first unread
Last post: Today at 4:18:47 PM(UTC)
Lansweeper Notification ticket in pending after 1 week
by  Vasile Ciuban   Go to last post Go to first unread
Last post: Today at 3:18:04 PM(UTC)
Lansweeper Assistance on Building a Report on Java Installations
by  Rob-CD  
Go to last post Go to first unread
Last post: Today at 10:20:11 AM(UTC)