cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
imccarthy
Engaged Sweeper II
Hi All,

I have updated to Lansweeper v.7.2.100.20 hoping to view Bitlocker Recovery keys but I am getting no information found on the Recovery Keys page.

Encryptable volumes shows the C drive as Protection status On. I have granted the account Lansweeper uses access to the Bitlocker keys in active directory and confirmed my Lansweeper user has the correct permission to view Bitlocker keys in Lansweeper.

Any ideas on what to check or what I am missing?
11 REPLIES 11
Stephane
Engaged Sweeper
Hi, I do see recovery keys for most of the computers, but some that were done in the last couple of days won't show up. It could take days before Lansweeper integrate them. I've launch the manual scan on the device, but AD keys are stored within AD, not in the computer info. I would like to force the AD discovery for a specific computer ?
Esben_D
Lansweeper Employee
Lansweeper Employee
Stephane wrote:
Hi, I do see recovery keys for most of the computers, but some that were done in the last couple of days won't show up. It could take days before Lansweeper integrate them. I've launch the manual scan on the device, but AD keys are stored within AD, not in the computer info. I would like to force the AD discovery for a specific computer ?


What you could do is lower the minimal time between scans for AD computers if you really need the data quickly (you can always revert it later)

In the Scanning tab (below the exclusions) the AD scanning options allow you to choose how frequently an AD computer is scanned regardless of number of logons onto the DC. By default, an AD scan will only be done if the logon onto the DC was more that 20h ago.

So you could change the minimum time to like an hour and make sure that the computers DC logon happens again.
Esben_D
Lansweeper Employee
Lansweeper Employee
Some more info that might be useful. Bitcloker drive encryption information is scanned from WMI, while the BitLocker recovery key is scanned from AD. Since these are seperate sources, this also means that from a data standpoint, these two are completely seperate.

If your AD data isn't updating, check your server options within Lansweeper and make sure that "Refresh Active Directory computer details (OU,description,... )" is enabled under Asset Cleanup Options
Stephane
Engaged Sweeper
Hi, same here.. restarted the Lansweeper service and then newer computers became populated. Created a quick report to see which computers had Encryption enabled, and recovery key missing, some do have they key in AD.

Select Top 1000000 Case
When Coalesce(tblAssets.OScode, '') = '' And tblAssets.Assettype = -1 Then
'notscanned.png'
When tblAssets.Assettype = -1 Then tsysOS.Image
Else tsysAssetTypes.AssetTypeIcon10
End As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblADComputers.IsEnabled As Enabled,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.OScode + '.' + tblAssets.BuildNumber As Build,
tblAssets.Version As [OS Version],
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssetCustom.Location,
tsysIPLocations.IPLocation,
tblAssets.Firstseen,
tblAssets.Lastseen
From tblAssets
Inner Join tblADComputers On tblAssets.AssetID = tblADComputers.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblEncryptableVolume On
tblAssets.AssetID = tblEncryptableVolume.AssetId
Left Outer Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Outer Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Where (tsysOS.OSname = 'Win 10' Or tsysOS.OSname = 'Win 7') And
tsysOS.OSname Not Like 'Win 2%' And tblAssets.Lastseen > GetDate() - 60 And
tblAssetCustom.State = 1 And tblADComputers.ADObjectID Not In (Select
tblBitLockerRecoveryKey.AdObjectId
From tblBitLockerRecoveryKey) And tblEncryptableVolume.DriveLetter = 'C:'
And tblEncryptableVolume.ProtectionStatus = 1
Order By tblAssets.AssetName
imccarthy
Engaged Sweeper II
Hi Guys,

BitLocker keys have started appearing for computers in Lansweeper. Not sure what triggered it. I did add a active directory domain as a scanning target but prior to that I already had ip range scans, active directory computer path & active directory user.
Stephane
Engaged Sweeper
The recovery keys are showing within my AD computer accounts, but the the discovery of new ones from the AD doesn't seems to happen. How do we force the Encryption recovery key to be scanned ? I've tried to launch the AD scan from Domain, but that didn't update the record, who is still dated 2 weeks ago.
grimstar
Champion Sweeper II
If you scan an individual device and then check the device, does it populate?

Also just to make sure, you are storing your BitLocker keys in AD already, correct?
grimstar
Champion Sweeper II
When viewing an individual machine - Config>Windows>BitLocker Encryption>Recovery Keys
Report Name - Computer: BitLocker recovery keys found in AD
OCESJF
Engaged Sweeper II
RKCar wrote:
When viewing an individual machine - Config>Windows>BitLocker Encryption>Recovery Keys
Report Name - Computer: BitLocker recovery keys found in AD



By the way I see a report "Computer: BitLocker recovery keys found in AD

but after scan AD there is no info to show on the report.

I´m able to read the AD with the same credentials that I use to scan with Lansweeper....

should we configure something in particular?