How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

  • Comments 34
  • Likes

 

Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Bitlocker Data Recovery Agent (DRA) to unlock Bitlocker Protected Drives

In Windows 7, we have option to unlock devices using Bitlocker DRA if you have a PKI Infrastructure in place.

What is a Data Recovery Agent?

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

Pre-requisites:

 

To use DRA for BitLocker, make sure the GPO for Unique ID is enabled.

 

To Configure the GPO,

1.       Expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption.

“Provide Unique Identifiers for your organization”

 

Enable this Policy (see screenshot below).

 

For BitLocker Identification Field you can give your company name or any name.

 

Make sure BitLocker Identification Field and Allowed BitLocker Identification field are the same.

 

clip_image002

When do we use Bitlocker DRA?

In Windows 7, we introduced feature of Bitlocker DRA which can be used to unlock fixed data drives and removable data drives.

Generally when we encrypt the USB flash Drives or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.

When you connect to a Windows 7 client machine and Open Control Panel –> Bitlocker Drive Encryption, you will see all your Data drives.

Open Certificate Manager on the client computer.

Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.

image

Under the Certificate Templates, select Bitlocker DRA certificate template.

If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies.

NOTE: In case you do not see attributes listed under the Application polices, you should re-login to the domain controller using a schema admin account and install the Bitlocker feature. The ‘Bitlocker Drive Encryption’ and ‘Bitlocker Data Recovery Agent’ application policies will be listed upon installation of the bitlocker feature.

clip_image004[4]

 

clip_image006[4]

Install the certificate on the computer.

clip_image008[4]

Export the Certificate.

clip_image010[4]

Save the certificate to a location on your computer.

clip_image012[4]

clip_image013[4]

Now we can use a Group Policy to apply the certificate to all machines in the OU.

image

Open Group Policy Management Console and then add the bitlocker DRA.

Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.

Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent.

Note:

If a user wants to add additional Bitlocker DRA for his drive, he can add it by using the local security policies.

  1. Open Group Policy Management Editor (gpedit.msc) on Windows 7 client machine.
  2. Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
  3. Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent

 

image

Click Browse Folders and then select the exported certificate (.DER) file which we exported above.

clip_image019[4]

 

clip_image021[4]

After adding the DRA, go to windows 7 client machine.

After Adding the certificate, run ‘gpupdate /force’ on the client machine.

On Windows 7 client machine, open an elevated command prompt and use the following commands:

To get the protectors, run:

C:\>manage-bde -protectors -get f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: [New Volume]

All Key Protectors

    Numerical Password:
      ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
      Password:
        526108-505340-456258-529034-347050-022297-147796-530310
    Password:
      ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
    Smart Card (Certificate Based):
      ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
      Certificate Thumbprint:
        09141e2c459016b5c51754503956c1d62efeee62
    Data Recovery Agent (Certificate Based):
      ID: {E1749014-6760-4501-9A48-58152A587279}
      Certificate Thumbprint:
        1e66a3476615d9a1e51f56aec49024bb34b8a688


To lock the drive, use:

C:>manage-bde -lock f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: is now locked

To unlock the device, using the certificate thumbprint, use:

C:\>manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume F:.

I hope the above information would be useful to everyone. Thanks for your time to read the above information.


More Information:

http://blogs.technet.com/b/bitlocker/

 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • This is a great article on how to setup a Bitlocker DRA Agent, but the title says how to Use... I have set up a recovery agent as per your instructions, added to the GPO etc. How do I then use the DRA account or certificate to recovery my locked disk from another machine.

  • Paul,

    On other machine, you need to have the certificate with the private key. If you do not have the provate key then you cannot unlock the device.

  • Hi Manoj,

    can You please tell me how can i do this:

    "If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."

    Adam

  • Hi Manoj,

    can You please tell me how can i do this:

    "If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."

    Adam

  • Adam,

    Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.

    In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.

    Give a new name to this template, say BitLocker DRA.

    In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog.

  • For keyprotectors i only got the  Data Recovery Agent (Certificate Based) and TPM with PIN.

    Should it be possible to open a disk in the same way?

    I get Sertificate faild to unlock the drive. The thumbritnt is right, and i have the Certificate with the private key in my personal store..

    I have the Bitlocker enabled on a esata disk, wich i insert to the computer where i want to unlock it.

    James

  • due to some error my bitlocker recovery ki damage.i knew the bitlocker idetification number.how can i open device.............plz tell

  • This software is good,but i still believe apple site software for data recovery mac www.apple.com/.../filerecovery.html

  • Really a nice post and the software you have mentioned is good. Due to a past experienced of data loss I am using stellar data recovery software for my PC because using this software I recovered all my lost data.

  • Please i can't clearly do that ur explanation to Adam,

    ''Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.

    In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.

    Give a new name to this template, say BitLocker DRA.

    In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog.''

    so please can u help me with example images ? thx u

  • I hope this isnt a stupid question.... My System did an automatic update an after it wouldn't load up.

    It attempted but didnt get pass the splash screen... So I had to restore my system back to the factory settings.. my problem now is that my ext drive is asking for a recovery I now dont have because it was on the computer before restoring.. Is there by any chance some one can help me unlock my drive that has this bit locker softwarre.. im not very cpu savvy.

  • hey manoj,

    can u help me out with this .

    my HDD  needs a recovery key for the Bitlocker, whereas i have formatted the PC. now the key is gone . The only thing I have is recovery Key identification.

    I dont want to format the HDD, but am not able to use it too as it is already encrypted.

    Any solutions ?

  • i have lost my recovery key & my id is -139B30DE-DDC5-442A-B62B-2A1920C1830D

  • I HAVE BitLocker Drive Encryption Recovery Key.TXT

    BUT IT IS NOT WORKED AND USB H/D IS LOCKED AND WHEN I OPEN IT REQUEST THE USB FLASH DRIVE  OR TYPE RECOVERY KEY WHEN I BOT IT GIVE ME ERROR

  • hello i m in great trouble plz help me out , i hav forget bitlocker password and i didnt save the recovery key , i hav format drive c , i cant acess drive e : , i hav locked drive e, what shalll i do now to unlock this drive please help me thanks