This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recovery key audit on SafeGuard server to determine computers missing recovery information + missing .bek key for SafeGuard Challenge/Response

Hello,

I had a few questions regarding auditing a SafeGuard server to determine which computer accounts are missing recovery key information. I was able to dig up an article from way back when but it is no longer accessible - https://community.sophos.com/products/safeguard-encryption/f/sophos-safeguard-products/5663/workstation-locked-no-backup-key-available-help. I would like to run a script on the server side to determine which computers are missing recovery information. 

This all spawned from an issue with a client that was able to perform SafeGuard/Bitlocker Challenge/Response but the computer would attempt startup repair and then go back to requiring a USB key (SafeGuard Challenge/Response). I then went to grab the actual .bek file from the console but got an error that it was not available. I'm wondering how this could have happened as this is the first time we've experienced it and ways to prevent it from happening. I believe the original lockout occurred from a Microsoft update that had issues - KB4058043 installed on 4/3/18. 



This thread was automatically locked due to age.
Parents
  • Hi Eric,

    To identify Sophos Disk Encryption endpoints that are already protected and encrypted with the agent but did not yet report their Key Backup to the Sophos Management Server, 

    1. Download MissingKeyBackups.zip
    2. Extract the archive and run the MissingKeyBackups.sql script against the SOPHOS Database (e.g. SOPHOS521)

    The MissingKeyBackups.sql script contains two select statements that will retrieve the number of endpoints with Sophos Disk Encryption 5.61 installed, which do not have a Recovery Key in the database and lists details (ComputerID, Type, State, ComputerName, DomainName, IPAddress) of these endpoints.

    Endpoints that are referenced in the MissingKeyBackups.sql script output do not have a Recovery Key in the database. To resolve the situation, make sure that the endpoint can communicate with the Sophos Management Server and reboot the Sophos Disk Encryption endpoint. Endpoints will automatically upload their Recovery Key to the Sophos Management Server once a connection was established successfully.

    After rebooting the endpoint, please periodically run MissingKeyBackups.sql again and make sure that the number of endpoints referenced by the script decreases.

    Raise a ticket with Sophos Support if the number of endpoints does not decrease or certain endpoints do not upload their Recovery Key. When opening a support ticket, please refer to this Knowledge Base Article.

    Let me know if this helps resolve your query.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • Hi Eric,

    To identify Sophos Disk Encryption endpoints that are already protected and encrypted with the agent but did not yet report their Key Backup to the Sophos Management Server, 

    1. Download MissingKeyBackups.zip
    2. Extract the archive and run the MissingKeyBackups.sql script against the SOPHOS Database (e.g. SOPHOS521)

    The MissingKeyBackups.sql script contains two select statements that will retrieve the number of endpoints with Sophos Disk Encryption 5.61 installed, which do not have a Recovery Key in the database and lists details (ComputerID, Type, State, ComputerName, DomainName, IPAddress) of these endpoints.

    Endpoints that are referenced in the MissingKeyBackups.sql script output do not have a Recovery Key in the database. To resolve the situation, make sure that the endpoint can communicate with the Sophos Management Server and reboot the Sophos Disk Encryption endpoint. Endpoints will automatically upload their Recovery Key to the Sophos Management Server once a connection was established successfully.

    After rebooting the endpoint, please periodically run MissingKeyBackups.sql again and make sure that the number of endpoints referenced by the script decreases.

    Raise a ticket with Sophos Support if the number of endpoints does not decrease or certain endpoints do not upload their Recovery Key. When opening a support ticket, please refer to this Knowledge Base Article.

    Let me know if this helps resolve your query.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • @Haridoss: There is no download link for MissingKeyBackups.zip. Are you sure that this script is also working for Bitlocker recovery keys ? You are mentioning version 5.61 where Bitlocker support didn't exist yet. It lets me guess that this script is for Device Encryption only, but not for Bitlocker.

    @Eric: From my experience the missing key can happen when the client hasn't been able to contact the management server for sending the key file. We had to rebuild some new computers for the same reason.

  • Hi Holger, 

    My bad and you are right, the above mentioned will not work for the BitLocker recovery keys.

     I suggest creating a support ticket in order to analyze deep on this issue and find a solution.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.