This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way to migrate existing users from Bitlocker Challenge/Response to standard Bitlocker recovery key

Hello,

We've been experiencing issues using Challenge/Response with the latest SafeGuard 8.00.5 client on Windows Bitlocker clients. We just had a case where a feature update occurred and the computer was not encrypted at the time (likely due to TPM status). When the computer updated to feature update 1803 it resolved it's TPM issue and was able to encrypt but when the update failed the actual .bek recovery key file was not able to unlock the drive. 

Each time the computer restarted it would go to Bitlocker recovery, we'd execute challenge/response, and the computer would go into Windows recovery/repair. Then we attempted to unlock the drive and decrypt with the actual .bek file but it could not decrypt the drive, invalid key. We also attempted to repair the UEFI startup entries but that did not work. We basically got stuck.

This is not the first time we've had issues with SafeGuard/Bitlocker Challenge/Response. In some cases, updates/feature updates have broken the UEFI boot entries and the option to enter Challenge/Response disappeared. We've been able to repair that issue but with all the issues involved we'd like to move away from it completely and keep a simple Bitlocker configuration with recovery key. 

So, is there an easy way to migrate away from Bitlocker C/R to standard recovery key without decrypting? What would be the process?

Bonus question, recommended method for moving clients from TPM to boot password without decrypting? Is this the right path? - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors

Thank you!



This thread was automatically locked due to age.
Parents
  • Hi again Eric.

     

    Sorry to hear you're having C/R issues. I too decided to sack it off! I managed by rouge C/R clients by hand. Luckily all mine were SSD so decryption didn't take long. 

    As you feared though and as I recall - I couldn't remove C/R without decrypting. Didn't try that hard to look into it though but recall it came up with an error if you try and "un-select" BitLocker C/R as BitLocker is already installed/active.

    As you probably realise C/R modifies the booter - so it makes sense that it needs to have BitLocker removed/decrypted so that the booter can be put back to normal.

     

    Bonus question...

    Boot password do you mean TPM and PIN? You could use a password as a PIN but do remember that not only does it then make it confusing when you say PIN (as in numbers/digits) but many people would also want to use special characters with a password. This sadly is not supported and can lead to issues. I'd stick to PIN meaning a string of digits personally.

    If you want to have TPM and PIN and you already have TPM then it's simple and doesn't mean decrypting.

    At an ADMIN command prompt...

    manage-bde -protectors -add c: -TPMAndPIN

    Since you can't have TPM AND TPMANDPIN on the same device (because they're two conflicting options!) it will automatically remove TPM protector and add TPM WITH a PIN back.

    Make sure you use 6 digits. It is possible to use fewer but you need to configure a GPO for this as it's obviously an increased security risk.

     

    Hope this helps?

  • Michael,

    Thank you for the update/info! Time to update clients to 8.1!!!

  • You're very welcome!

     

    I'm now considering approaching this task too... :(

Reply Children
No Data