Summary
Trellix Native Drive Encryption (TNE) has identified a critical issue where BitLocker recovery keys are failing to escrow to the ePolicy Orchestrator (ePO) console. This occurs due to an SID mismatch between Azure AD (Entra ID) and Active Directory (AD). Currently, TNE is designed to work with AD only.
Recent Microsoft Secure Boot updates have triggered recovery prompts on endpoints. If an endpoint is affected by this escrow failure, there is no available recovery path via ePO, which may lead to users being unable to login to endpoints, permanent data loss, or required system wipes.
Scope of impact
This issue occurs only when the following two conditions are met:
- TNE has performed a "takeover" of a BitLocker encryption from a third-party BitLocker management solution.
- The endpoint is not managed by AD, e.g., Entra ID/Azure AD, and there are no AD users on the endpoint.
Root cause and resolution
SID mismatch is blocking the key rotation policy and preventing the TNE Agent from syncing keys to the ePO database.
A proof of concept (POC) fix has been validated and is scheduled to be included in the next TNE release, which will be announced soon.
Immediate actions for administrators
-
Audit your environment
Identify at-risk systems immediately within the ePO System Tree:-
Filter 1: Recovery Key Status = "No Recovery keys found"
- Filter 2: TNE Deployment Status = "Installed and Active"
If TNE has taken over from an existing BitLocker management solution and escrow has failed for the endpoint, verify if recovery keys exist in Azure AD via the Microsoft Entra portal, or any other BitLocker management solution.
-
Filter 1: Recovery Key Status = "No Recovery keys found"
-
Remediation steps
If a system is identified as missing a recovery key in both ePO and Azure AD:- Use the TNE policy to turn BitLocker OFF and then ON again. This forces a new protector escrow.
-
Run the following command (as an administrator) on the local endpoint to ensure protectors are active:
manage-bde -protectors -get C
- The execution of the command reveals the recovery ID and the corresponding recovery key under the Numerical Password section. Save the details for recovery purposes if the endpoint does not have a recovery key escrowed on ePO.
- Use the TNE policy to turn BitLocker OFF and then ON again. This forces a new protector escrow.
-
Proactive user safety
-
Manual backups: Encourage users to manually back up their recovery keys to a secure location (or print them) until their system is verified.
- Continuous monitoring: Regularly audit the ePO console for any endpoints listed with missing recovery keys to prevent future lockouts.
-
Manual backups: Encourage users to manually back up their recovery keys to a secure location (or print them) until their system is verified.
Note: To receive information about product updates, sign up for the Support Notification Service.
For instructions, see the Thrive Portal User Guide and navigate to Profile and Settings > My Settings > Manage Support Notification Services (SNS) subscription preferences.