In certain scenarios it is required to have the BitLocker recovery key (or file) to use the Windows Recovery Environment (WinRE) or other BitLocker recovery methods if the machine is not starting (e.g BCD store is corrupt, OS repair required etc.). For a client that is managed by SafeGuard Enterprise and has the BitLocker Challenge/Response feature installed, this key is not available. By default, only a logon recovery is possible using the C/R function (e.g. forgotten TPM PIN, Password etc.).
Applies to the following Sophos products and versions SafeGuard BitLocker Client 8.0SafeGuard Management Center 8.0
As of SafeGuard Enterprise 7.0 (backend) a hidden option has been implemented, which allows extracting the required *.bek file that is required for some recovery methods which are built-in in Windows.
There are two conditions that must be met to enable and show the button 'Export recovery key' in the Recovery Wizard of the SafeGuard Management Center :
The Registry Key 'RecoveryKeyExportEnabled (DWORD)' must be created and set to 1. When a Master Security Officer is logged in on the Management Center, the button 'Export recovery key' will be shown and it is possible to export a 'Recovery Key' of BitLocker.
Hint: A Security Officer is not able to use the button of 'Export recovery key'. There is no 'Role' setting or special 'Access Right'.
Required registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Utimaco\SafeGuard Enterprise\SafeGuard Management Center\Configuration] "RecoveryKeyExportEnabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Utimaco\SafeGuard Enterprise\SafeGuard Management Center\Configuration]
[HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise\SafeGuard Management Center\Configuration] "RecoveryKeyExportEnabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise\SafeGuard Management Center\Configuration]
To export a Recovery Key for a SafeGuard BitLocker Client, open the Management Center, go to Tools | Recovery... | Recovery Wizard | Select the SafeGuard BitLocker Client and click 'next'.
Use the 'Export recovery key' button to export the Recovery Key.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.