Why am I getting an event alert "A BitLocker recovery key has been revoked from: BKLAMME-8152Y0C" in the Sophos Cental console whenever I just read the Bitlocker recovery key?

Hello Yashpal,

Per our documentation:
Recovery key revoked:
A recovery key has been viewed in Sophos Central, so it has been revoked and will be replaced.

Click here for a list of the alerts from Device Encryption. 

Here's a general FAQ regarding Device Encryption for Windows:
FAQ on Sophos Central Device Encryption (Windows) 

If you require further assistance, could you please provide more information regarding the actions that took place, as well as the Sophos product involved and the environment ?

Regards,

Hi Barb,

Thanks for the response!

So, if I want to check if the recovery key is received or not and click on "Retrieve Recovery Key" in the console, the key gets revoked? When will the console receive a new key? 

Hello Yashpal,

Per the FAQ KB:
How often does the device synchronize with the backend?
Approximately every 30 seconds.

So next time you view the key, this process will restart (you will see the key, it will get revoked and a new one will be created). 

Please let me know if you have additional questions, or if this answers your query.

Regards,

Hello Barb,

What if i can see the recovery Key when i click Retrieve recovery key but not getting any alert that it is revoked.

Because, user can use the recovery Key but when user change the password (referring to MAC), he cannot login with new password but can login with the same recovery Key.

What should be done in this case ?

Agent on the client end is latest and receiving all the latest scan and updated events.

Regards,

Balarama Kishore Yerra

Hi balaramyerra,

For Mac, please have a look at this entry, and let me know if it helps:
Recover Mac endpoints

Here's the Mac Encryption FAQ for more info:
Sophos Central Device Encryption: Mac FAQ

If you need further assistance please provide more information regarding the issue, the MacOS version, and the Sophos version installed. 

Thanks!

Hi Barb,

Answer to my query is not listed there.

Mac OS Version 10.14

Sophos Agent Version 9.9.2

Regards,

Balarama Kishore Yerra

Hi Barb,

Answer to my query is not listed there.

Mac OS Version 10.14

Sophos Agent Version 9.9.2

Regards,

Balarama Kishore Yerra

Hi balaramyerra,

Regarding Mac encryption please review this this Apple article:
https://support.apple.com/en-in/HT204837

Regarding Sophos Central recovery key, please see below and let us know which steps you are following, and where are you getting stuck, so that we can better assist you.
Here's how to recover the key and change a password:
Retrieve recovery key (Mac)

Note that: 
On endpoints running macOS 10.12 or earlier, a new recovery key is created and stored in Sophos Central. A recovery key can only be used once. If you need to recover a computer again later, you need to retrieve a new recoverykey.
On endpoints running macOS 10.13 and Apple File System (APFS), no new recovery key is created. The existing recovery key remains valid.

Thanks!

Hi Barb,

"On endpoints running macOS 10.13 and Apple File System (APFS), no new recovery key is created. The existing recovery key remains valid."

As per this statement, will Sophos create an event in console that its been revoked once we check recovery key from console end ?

Regards,

Balarama Kishore Yerra

Hello balaramyerra 

Sophos will not create an event in the console for MAC machines as a revoke mechanism is only for the Windows Operating system which uses Bitlocker as their native encryption.