Provide a Recovery Key for an End-user

Recovery Keys enable a user to access the encrypted device if they forget their password, or if an encrypted drive needs to be installed in a new computer.

Devices using TPM without a PIN option do not need to enter a pre-boot password, but will require the Recovery Keys if moving the drive to a new device.

During the device boot up, the user needs to enter their password or PIN to access the drives on the device. If they forget their password or PIN, they can press the Escape key to obtain a Key ID / Protector ID / Recovery Key ID. This is the key that they give to your technician. The technician then retrieves the Recovery Key and issues this to the end-user. The end-user enters the Recovery Key into the device, sets a new Passphrase or PIN and can then resume use of the device.

How to Retrieve the Disk Encryption Manager Recovery Key

  1. Locate the user's device in the North-pane of the RMM dashboard, and right-click on it to open the device context menu
  2. Select Managed Antivirus > Retrieve Recovery Key. The Retrieve Recovery Key dialog opens
  3. Enter the Key ID / Protector ID / Recovery Key ID provided by the user and then click Retrieve Recovery Key to display the Recovery Key
  4. Provide the user with the Recovery Key to allow them to unlock their device. You can use the Copy Recovery Key button to copy the key to the clipboard
  5. Once the user enters the Recovery Key on their computer, they must create a new password or PIN before unlocking the drive

Please see Disk Encryption End-user Experience for further end-user actions.

If you close your RMM (trial or full) account entirely then you will have to rely on your Recovery Key Report. Ensure you have produced the report and have saved this securely for future use before closing down you RMM account, as we do not store anything in this case.

If you delete your devices from RMM, the last known Recovery Key will be retained in the Recovery Key Report for 90 days only.

If you remove Disk Encryption Manager from devices, and they remain in RMM, you still have access to the Recovery Key Report which has the history of the last known Recovery Key before the device returned the control to the end user. Be aware, the end-user may have re-encrypted which would change the Recovery Key from what RMM last had on record.

In these scenarios, we highly recommended running the Recovery Key Report and storing it in a safe location before performing any other actions. Otherwise, you will not be able to access the Recovery Keys from RMM or Technical Support.