Encryption Recovery Key Search

You can get a device encryption recovery key by entering a volume or recovery identifier.

Retrieve recovery key (Windows computers)

If users are unable to log in to their encrypted computer, you can get a recovery key which is used to unlock the computer. There is a recovery key for each volume of a BitLocker protected computer. It is created and backed up in Sophos Central before the computer is encrypted.

Note When Sophos Device Encryption is installed, existing BitLocker recovery keys are replaced automatically and can no longer be used.
Note Even if a policy has been disabled and the computer's Device Encryption status is shown as "Unmanaged", you can get a recovery key if one is available.

To get the recovery key, go to Computers, select the computer you want to recover, and click Retrieve Recovery Key. If you cannot find the computer in the list, you need the recovery key identifier or the volume identifier and use it in the recovery wizard, as follows:

  1. Tell the user to restart the computer and press the Esc key in the BitLocker logon screen.
  2. Ask the user to provide you with the information displayed in the BitLocker recovery screen.
  3. In Sophos Central, go to Computers and click the Retrieve Recovery Key button.
  4. Enter at least five characters of the recovery key identifier or the volume identifier provided by the user.
  5. Click Show Key to display the recovery key.
    Note If you enter a volume identifier, Sophos Central displays all available recovery keys for this volume. The latest recovery key is the top one.
  6. Make sure that the user is authorized to access the encrypted device before you provide the recovery key.
    Note As soon as a recovery key is displayed to you as administrator, it is marked as used and will be replaced at the next synchronization.
  7. Give the recovery key to the user.

The user can now unlock the computer. Users of computers running Windows 8 or later are prompted to create a new PIN or password. Instructions for creating the PIN or password are displayed automatically.

After the computer has been recovered, a new recovery key will be created and backed up in Sophos Central. The old one will be deleted from the computer.

Retrieve recovery key (Macs)

If users forget their login password, you can get a recovery key which is used to unlock the computer.

To get the recovery key, go to Computers, select the computer you want to recover, and click Retrieve Recovery Key. If you cannot find the computer in the list, you need the recovery key identifier or the volume identifier and use it in the recovery wizard, as follows:

  1. Tell the user to switch on their computer and wait until the Recovery Key ID is displayed.
    Note The recovery key ID is displayed for a short time. To display it again, users must restart their computer.
  2. Ask the user to tell you the Recovery Key ID.
  3. In Sophos Central, go to Computers and click the Retrieve Recovery Key button.
  4. Enter at least five characters of the recovery key identifier.
  5. Click the Show key button to display the recovery key.
  6. Make sure that the user is authorized to access the encrypted device before you provide the recovery key.
  7. Give the recovery key to the user.
    • For users imported from Active Directory, continue to step 8.
    • For all other users, go straight to step 10.
  8. Reset the existing password in Active Directory. Then generate a preliminary password and give it to the user.
  9. Tell the user to click Cancel in the Reset Password dialog and enter the preliminary password instead.
  10. Tell the user to do as follows:
    • Create a new password.
    • Click Create New Keychain if prompted.

The user can access the computer again.

On endpoints running macOS 10.12 or earlier, a new recovery key is created and stored in Sophos Central. A recovery key can only be used once. If you need to recover a computer again later, you need to retrieve a new recovery key.

On endpoints running macOS 10.13 and Apple File System (APFS), no new recovery key is created. The existing recovery key remains valid.