Pair Recovery ID with Recovery Key for Windows devices

[BillysCoolJob]

• @noahtalerman: User requested this because Fleet is escrowing the a disk encryption that doesn't successfully unlock the device. The user believes there's a different disk encryption key (Windows can have more than one) that works. If they had a recovery ID, they'd be able get a working recovery key (different than the one escrowed to Fleet).
  • @noahtalerman: In the interim TODO
  • @noahtalerman: Eventually TODO
• @nonpunctual: Helpful resources re BitLocker recovery ID:
  • https://www.thewindowsclub.com/how-to-find-bitlocker-recovery-key-with-key-id-in-windows-11

  • https://support.microsoft.com/en-gb/windows/find-your-bitlocker-recovery-key-6b71ad27-0b89-ea08-f143-056f5ab347d6

[noahtalerman]

Problem

I cannot access the Bitlocker Recovery ID from Fleet. Only the recovery key

What have you tried?

Nothing. We've tried nothing and we're all out of ideas.

Potential solutions

Fleet would display the Bitlocker Recovery ID in addition to the Recovery Key when requesting it from the host

What is the expected workflow as a result of your proposal?

Click into example host in the Fleet dashboard > Actions > Show disk encryption key > The Bitlocker recovery ID would be shown on this window above the Recovery Key

[noahtalerman]

User requested this because Fleet is escrowing the a disk encryption that doesn't successfully unlock the device. The user believes there's a different disk encryption key (Windows can have more than one) that works. If they had a recovery ID, they'd be able get a working recovery key (different than the one escrowed to Fleet).

@BillysCoolJob is their a BitLocker recovery key escrowed to Fleet? Is that BitLocker recovery key not unlocking the device?

[BillysCoolJob]

@noahtalerman So the recovery key itself is displayed correctly and it does work to decrypt the main boot volume, however that is not the issue. The issue comes from the matching Recovery ID not being shown. This would be helpful as when a device is at the pre-boot bitlocker screen, it only shows the bitlocker recovery ID associated with the boot drive and there is no way to tell what drive that actually is if you can't match the recovery key to the recovery ID. Normally this would be fine but with computers that have multiple bitlocker encrypted drives, this becomes an issue as you can't tell which recovery key/drive the machine is trying to use to boot

[noahtalerman]

the recovery key itself is displayed correctly and it does work to decrypt the main boot volume

@BillysCoolJob great. In case it's helpful, currently, Fleet only enforces disk encryption and escrows the key on the C: volume (default drive).

From the guide here:

when a device is at the pre-boot bitlocker screen, it only shows the bitlocker recovery ID associated with the boot drive and there is no way to tell what drive that actually is if you can't match the recovery key to the recovery ID

with computers that have multiple bitlocker encrypted drives, this becomes an issue as you can't tell which recovery key/drive the machine is trying to use to boot

Are you looking to decrypt other drives? (not the C: volume)

P.S. Apologies for the basic questions. I'm asking them to try to get to the root problem here.

[BillysCoolJob]

@noahtalerman Yes, these machines have multiple BitLocker encrypted drives in them. I think the thing to understand here is the difference between the Recovery ID and the Recovery Key. Recovery ID being the drive marker for BitLocker, and the Recovery Key being the key to unlock that drive. I am aware that Fleet only enables BitLocker for the C drive.

In a multi drive machine with multiple volumes locked by BitLocker (for example, dual boot machines), and because Fleet does not show the Recovery ID that it got the key from, when the machine boots to the BitLocker screen there is no way to determine which key should be used to decrypt the drive.

As the Fleet admin I can determine this by process of elimination, but our engineers and other staff won't know all this and usually associate the drive they are being asked to unlock by the Recovery ID.

For example, this is a screenshot from Google but it gets the point across, this machine is asking for a Recovery Key that matches the Recovery ID displayed, but there is no way to determine if that is the C drive on the machine because Fleet does not provide us the Recovery ID:

[nonpunctual]

The requirement to encrypt anything other than the System drive is (to me) outside the scope of enforcing disk encryption generally. It is true that an org may have a requirement for multiple drives being encrypted or have a different meaning of "full disk encryption" but what's generally meant by disk encryption on a 1:1 deployed computer on all platforms is that the drive on which the OS & user data exists is encrypted.

[BillysCoolJob]

@nonpunctual I agree, I think that adding multi disk encryption to windows would be a fun feature add to Fleet but definitely out of scope for the currently established disk encryption enforcement. I'm not actually asking about getting Fleet to enable multi disk encryption.

All I'm asking is that the Recovery ID be shown with the Recovery Key in the hosts page. Right now it just shows the Recovery Key