Specops Key Recovery

Self-service key recovery

How can IT departments minimize encryption lockout calls at the service desk? Specops Key Recovery is an enterprise self-service solution for unlocking devices encrypted by BitLocker and Symantec Endpoint Encryption. A user who is locked out at the pre-boot authentication screen can use Specops Key Recovery to unlock their computer, without calling the IT service desk. For added security, users are verified with multi-factor authentication before receiving a recovery key. The solution supports a number of authentication factors, including Duo Security, Okta, and Mobile Code.

  • Self-service for BitLocker
  • Self-service for Symantec Endpoint Encryption
  • MFA with pre-enrollment

Specops Key Recovery is a self-service solution for unlocking computers encrypted by Microsoft BitLocker and Symantec Endpoint Encryption. A user who is locked out at the pre-boot authentication screen can use Specops Key Recovery to unlock their computer, without calling the helpdesk. For added security, users are verified with multi-factor authentication. The solution supports a number of authentication factors, including Duo Security, Symantec VIP, Okta, PingID and YubiKey.


To protect corporate data and address regulatory requirements, organizations are increasingly turning to endpoint encryption solutions. Encryption at the hardware level of a storage device, commonly referred to as full-disk encryption (FDE), protects confidential information from unauthorized access.


FDE solutions, such as BitLocker and Symantec Endpoint Encryption, create a pre-boot authentication environment that require a secret key when the computer is started, or when a lockout is triggered. Without a self-service recovery solution, FDE will drive calls to the helpdesk.

How does it work?

You can configure Specops Key Recovery by installing the Gatekeeper component in your organization’s corporate network. The Gatekeeper will access Symantec Endpoint Encryption and/or BitLocker to relay recovery keys for end users. The recovery key is encrypted inside the corporate network, and decrypted once it reaches the user’s device. Specops Key Recovery does not access sensitive resources from Symantec Endpoint Encryption, or BitLocker.

When a user attempts a self-driven key recovery, Specops Key Recovery will prompt the user to authenticate with the identity service(s) from their enrollment. The enrollment data is stored on a sub-object of their user account in the on-premises Active Directory.

What does it look like?

Specops Key Recovery enhances security by extending multi-factor authentication to self-service key recovery. There are 20+ identity services available to ensure that you can select the best options for your users. However, since not all identity services are equally secure, administrators can assign each identity service a trust value, based on their perceived level of security. The trust assignment is managed via stars, as shown in the administrator view to the right.

What does it look like for end users

After verifying their identity via the methods configured by their administrator, the end user can follow the steps on screen to finish the recovery key process, as shown on the right. The end-user friendly instruction found within Specops Key Recovery helps minimize encryption lockout calls to the service desk.

Feature HighlightsBitLocker AloneBitLocker with Specops Symantec Endpoint Encryption Alone Symantec Endpoint Encryption with Specops
Self-service key recoveryYes (MBAM integrated with SCCM)YesYesYes
Remote self-service key recoveryNoYesNoYes
Multi-factor authenticationNoYes (20+ identity providers)No (security questions)Yes (20+ identity providers)
Integration with self-service password resetNoYes, with Specops uReset No Yes, with Specops uReset

RECENT PRODUCTS

Information Security

CATEGORIES

Group of companies
Cookies policy
About Company

SUBSCRIBE

Get monthly updates and news.

© Copyright 2024 Advanced Technologies Solutions - All Rights Reserved