Recovery Media Feature Request

[sayaol]

Thank you for a great product. We are using Veeam Agent for Microsoft Windows to manage “standalone” field laptops that do not touch the network often, but want to be able to create and maintain backups. These laptops are encrypted with BitLocker and the keys are stored in Active Directory. Disk 0 is dedicated to OS, Disk 1 is split equally with drive letters D for Data, and E for Backup purposes. The E drive stores the 7 day retention daily backups of both C and D drives. This means we have 3 BitLocker encrypted drives and all keys are typically sent to Active Directory at the same time (more on this later).

Feature Request: When using the unlock function in the Veeam Recovery Media, the user is only provided the drive letter. Active Directory does not store the drive letter, but rather the Password ID/GUID of the drive. Would it be possible to list the first 8 hexadecimal characters of the GUID to help identify the correct drive? This could be a details button on each drive, or a hover menu of sorts. Active Directory has a nifty search tool that is used to enter the first 8 characters of the Password ID to help locate the correct password. Without this we have to look up the device in AD, then correlate the timestamps of the keys (typically C first, then subsequent drives).

Format of the GUID is covered here, https://learn.microsoft.com/en-us/windo ... assword-id

This would help greatly so we could search Active Directory quickly during the recovery process. In my instance, we have to unlock 3 drives for a successful bare metal restore.

When booting a BitLocker encrypted drive, the full Recovery ID is provided, so there should be some way for the Recovery Media to detect these identifiers.

[Nils]

How about running an inventory after installation using Powershell:

Code: Select all

Get-Volume | Select-Object DriveLetter,UniqueId

[sayaol]

That Unique Id is not the same as the BitLocker Recovery ID. I do not believe you can access a full PowerShell prompt inside the Veeam Recovery Media environment. It uses WinPE.

[Nils]

I see. I meant reading and saving the IDs before you need them.

You can configure a GPO to store BL recovery IDs in AD where you can access them with the required privileges. See https://theitbros.com/config-active-dir ... very-keys/

You can also access the IDs using PS, it's just a bit more complicated.

Code: Select all

Get-BitLockerVolume -MountPoint X).KeyProtector

(replace X with the actual drive letter)

[sayaol]

Yup! I've already done that. My request is to have these Recovery ID easily visible in the Recovery Environment for AD Search.