Latest posts by Robert Pearman (see all)
- Specops Key Recovery: Self-service for unlocking BitLocker-encrypted devices - Thu, Oct 24 2019
- Automating Remote Desktop Services certificate installation with PowerShell - Thu, Sep 5 2019
- Conditional Access in Office 365 - Wed, Jul 10 2019
If you have ever had to talk a user through resetting a password, the thought of having to talk through a 48-character BitLocker recovery key is perhaps enough to want to make you call in sick that day. But with a user out on the road suddenly locked out of a device, what do you do?
You probably know that BitLocker key recovery is required if a user forgets the password of a BitLocker-encrypted device. You have recovery keys backed up to Active Directory, but you need a way to transmit the key to the user. Luckily, there is a solution. Specops Key Recovery for BitLocker is a service designed to provide self-service key recovery for BitLocker-enabled devices.
By installing an agent onto a server in your Active Directory domain, SKR is able to retrieve the BitLocker key and provide it to your user through a web front-end.
Users can enroll or be pre-enrolled into the service by satisfying the authentication enrollment policy configured by IT. Once enrolled, when an encryption lock out occurs, users are directed to the web front end to verify their identities to retrieve access.
As mentioned earlier, an administrator has the ability to configure both an enrollment and authentication policy. The value of this approach is that users can enroll with more services than required to satisfy the authentication policy in the event that one of the identity services is unavailable.
An administrator can configure the MFA policy by dragging and dropping additional providers, and adding a weight, reflected by stars, to depict the identity service’s level of security. For example, requiring the use of either the Google or Microsoft authenticator app will score two stars and a secret question one star.
By mixing and matching your identity providers, your users must fulfill a configurable quota of identity providers to enroll themselves (in this example 5 stars) and for continued authentication (in this example 3 stars).
The server agent known as a Gatekeeper is a small service that runs as a bridge between your domain and the cloud service. The installer provides several options for how to delegate permissions to a service account, allowing you to maintain least-privilege access in your domain. There are also options for running the agent in a server core rather than the full desktop experience.
In addition to the MFA requirements, the management portal allows for additional security settings with geo-blocking IP ranges or entire countries.
The portal also has the option of allowing additional customizations you might expect as well as some neat additions, such as the ability to customize the messages your users will see when they go through various stages of the enrollment or authentication process.
But the real proof of the pudding of a service or program like this is its ease of use for stranded users who need access to their devices. To that end, I simulated a support call by handing my wife a set of credentials for my test domain.
No one from IT had to walk her through the process. Instead, she was directed to the Specops site for recovery.
Within five minutes, she had the full 48-character recovery key available on her mobile device and could have been able to unlock her laptop.
All things considered, I was impressed with Specops Key Recovery for BitLocker, the management portal, and the support I received when I raised several queries for clarification on how things worked.