Specops’ Bitlocker key recovery

Sponsored by Specops

The problem

When an employee loses their laptop, the possibility of someone accessing their data by booting it up from a USB becomes very real. The answer to preventing unauthorised access to users’ devices is hard drive encryption.

Device encryption has become a security staple for many organisations, as a means to prevent data leaks but to also address compliance requirements. Close to 90 per cent of organisations rely on Microsoft Active Directory, and as Bitlocker is already included with Microsoft Windows, it is no surprise that it’s is the most widespread encryption solution.

As is the case with other IT security initiatives, the user experience can often be impacted negatively. Bitlocker isn’t always perfect. Sometimes users’ machines may fail to boot up properly, perhaps after a software update – users frequently report problems with Bitlocker’s encryption system unexpectedly locking them out of their PC.

When this happens, many users default to ringing the IT helpdesk. Sometimes this means they have to wait for a busy IT professional to get around to dealing with the support case. Depending on the organisation’s IT environment or the user’s location, the resolution of a particular support ticket can take time. And during that time, support costs are adding up as users lose productivity time without access to their devices and resources.

As with any IT helpdesk call, it is common for support staff to verify users’ identities before providing them with the recovery key. Unfortunately, even with this high-risk use case, helpdesk staff default to authenticating users with insecure methods such as employee ID, caller ID or in some cases use a security question. All of these methods can be exploited by a hacker, who might be able to answer the security questions through social engineering, spoof the caller ID number or easily access the kind of employee ID that is commonly printed on access badges.

Once verified, the helpdesk will then need to share a complex string of characters over the telephone: the chance of mishearing or mistyping is high, adding further frustration (and cost) to the process.


You can learn more about the Specops key recovery system here.


The solution

There is a solution to this two-fold problem in the form of Specops’s self-service Key Recovery solution. This system allows people to securely recover access when confronted with the dreaded Bitlocker blue screen, deflecting the call from the IT helpdesk.

And it’s a simple solution that even the less technically gifted office worker should be able to handle.

How does it work? It is a very simple three-step process.

Step 1. A user is faced with the Bitlocker recovery screen – at this point the computer is effectively dead. No need to panic! Using another device, such as a smartphone, the user needs to go the Specops Key Recovery URL, which can be branded to the organization.  The URL is conveniently displayed within the Bitlocker recovery mode screen.

Step 2. Specops then takes the user to the Multi-Factor identity Authentication (MFA) screen. The solution supports various authentication factors out of the box, including ones that may be already in use. Duo Security and Symantec VIP are two commonly used third-party MFA systems, but the Specops platform supports well over a dozen, with new methods regularly being added. Support of third-party MFA allows organisations to extend the ROI of the platform by securing additional use cases. Many of the authentication methods can leverage existing Active Directory data, such as cellphone numbers, to pre-enroll users into the system.

This is the security part of the process, but at the same time it is also flexible. If admins select factors that leverage existing Active Directory data, users don’t have to enrol in the system to use it.  Additionally, the solution supports enrolling with more factors than needed to authenticate, this ensures that users will always be able to complete the task in the event that a factor fails.

Step 3. Once authenticated, Specops shows the Bitlocker recovery key that needs to be typed into the Bitlocker recovery screen. Once the user does that, they have effectively unlocked Bitlocker and the system will allow you back into your computer. Simple.

Unencrypting a hard disk needs to be secure. After all, hard disk encryption is designed to be a security feature that protects your confidential data. Specops not only secures this high-risk use case but eliminates the support cost and user downtime associated with encryption key recovery.

With this highly flexible self-service system there is no need for users to bother busy IT helpdesks, and no risk that someone will be successful at faking the user’s credentials, either at the helpdesk or during self-service.

teiss’ verdict

The self-service encryption key recovery system balances security and usability. Specops Key Recovery makes it possible, regardless of the user’s location, to recover access on their own in the event that a Bitlocker Recovery mode is triggered.

Perhaps more importantly, the system is highly secure, with organisations able to select the multifactor identity authentication factors they want to extend to users, enabling them to make the adoption of the system more feasible – with alternative factors and pre-enrolment.

Finally, it’s worth knowing that while the system is designed for the commonly used Windows Bitlocker encryption, it also works for Symantec’s separate device encryption system.


You can learn more about the Specops key recovery system here.