Installation

Specops Key Recovery relies on the on-premises component Specops Gatekeeper to manage users in Active Directory. Refer to Install Specops Authentication Gatekeeper for the installation instructions.

In addition to the installation, some necessary post-installation steps are required for Specops Key Recovery. Refer to the following sections for details.

Post-installation

The following post-installation steps must be completed after Gatekeeper has been installed.

Set up Specops Key Recovery for Symantec Endpoint Encryption

On the Gatekeeper Admin Tool, select Key Recovery, and click Setup Specops Key Recovery.
The Setup Wizard will open. On the Begin page of the setup wizard, you will see a brief explanation of the prerequisites that must be in place before Specops Key Recovery can work successfully, including the minimum permissions that must be set. This includes:
- Setting administrative access to the Symantec Endpoint Encryption Help Desk web.
- Giving administrative access to the Symantec Endpoint Encryption SQL Server and database.
- Setting the permission to create an Active Directory Security Group.
Note

See Symantec Endpoint Encryption SQL configurations for more information.
Click Next.
If you have multiple Gatekeepers installed, an additional page (Select Gatekeepers) will be displayed, and you will need to complete steps 4a-b. If you only have one gatekeeper installed, this step will be automatically skipped.
1. Configuration of Specops Key Recovery is stored on each Gatekeeper and cannot be replicated between Gatekeepers. Select the checkbox next to the Gatekeeper you want to configure.
2. Click Next.
On the Find Symantec Endpoint Encryption service page of the setup wizard, enter the required information to enable Specops Key Recovery to access your company’s Symantec Endpoint Encryption environment. For more information, see Setting up your Symantec Endpoint Encryption account with Specops Key Recovery.
1. Enter your Symantec Endpoint Encryption URL: For example, https://mydomain.com//8080/WebConsole/
2. Enter your Symantec Endpoint Encryption Username: For example, DOMAIN\User
3. Enter your Symantec Endpoint Encryption Password: Enter the password for your Symantec Endpoint Encryption environment
4. Click Test Connection to ensure that Specops Key Recovery has successfully connected to your Symantec Endpoint Encryption environment.
5. Click Next.
On the SQL preparations page of the setup wizard, and you will need to: Create an Active Directory security group, grant the group access to the Symantec Endpoint Encryption SQL database, and enable remote access to the SQL Server. To complete these steps using the PowerShell script in the set-up wizard, complete steps 6a-c. To complete these steps manually, or for more information, see Symantec Endpoint Encryption SQL configurations.
1. Select the PowerShell link on the right-hand side of the Active Directory section. Copy the script, run it in PowerShell, and click OK.
2. Select the PowerShell link on the right-hand side of the SQL Server section. Copy the script, run it in PowerShell, and click OK.
3. Click Next.
Note

The user running the above scripts must have:
- Permissions to create a security group, and add the Specops Gatekeepers group to that security group, and restart the Gatekeeper.
- Permission to enable remoting on the Symantec Endpoint Encryption SQL server, and add logins and roles.
On the Database page of the setup wizard, grant access to Symantec Endpoint Encryption by providing your SQL Server Instance and SQL Server Database Name.
1. Click Test Connection to ensure the connection has been successful.
2. Click Next.
On the Summary page of the setup wizard, you will see an overview of all the configured settings. If you are satisfied with the configuration, click Finish.

Setup Specops Key Recovery for BitLocker

On the Gatekeeper Admin Tool, select Key Recovery, and click Setup Specops Key Recovery.
The Setup Wizard will open. On the Begin page of the setup wizard, you will see a brief explanation of the steps that the wizard will perform. This includes:
- Creating an Active Directory Security Group for Specops Key Recovery for BitLocker.
- Defining the scope where the computers that can be recovered are located.
- Giving your Gatekeepers permission to read recovery passwords for BitLocker.
- Restarting the Gatekeeper(s).
Click Next.
Select where you want to create the Active Directory security group for Specops Key Recovery for BitLocker.
Click Next.
Select where your computers that are using Microsoft BitLocker are located. Permissions will be configured here for the security group, to allow Gatekeepers to read recovery passwords.
Click Next.
A summary is displayed. Verify that your configuration is correct, and press Finish to finalize the setup.