How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

 

Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Bitlocker Data Recovery Agent (DRA) to unlock Bitlocker Protected Drives

In Windows 7, we have option to unlock devices using Bitlocker DRA if you have a PKI Infrastructure in place.

What is a Data Recovery Agent?

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

Pre-requisites:

 

To use DRA for BitLocker, make sure the GPO for Unique ID is enabled.

 

To Configure the GPO,

1. Expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption.

“Provide Unique Identifiers for your organization”

 

Enable this Policy (see screenshot below).

 

For BitLocker Identification Field you can give your company name or any name.

 

Make sure BitLocker Identification Field and Allowed BitLocker Identification field are the same.

 

clip_image002

When do we use Bitlocker DRA?

In Windows 7, we introduced feature of Bitlocker DRA which can be used to unlock fixed data drives and removable data drives.

Generally when we encrypt the USB flash Drives or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.

When you connect to a Windows 7 client machine and Open Control Panel –> Bitlocker Drive Encryption, you will see all your Data drives.

Open Certificate Manager on the client computer.

Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.

image

Under the Certificate Templates, select Bitlocker DRA certificate template.

If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies.

NOTE: In case you do not see attributes listed under the Application polices, you should re-login to the domain controller using a schema admin account and install the Bitlocker feature. The ‘Bitlocker Drive Encryption’ and ‘Bitlocker Data Recovery Agent’ application policies will be listed upon installation of the bitlocker feature.

clip_image004[4]

 

clip_image006[4]

Install the certificate on the computer.

clip_image008[4]

Export the Certificate.

clip_image010[4]

Save the certificate to a location on your computer.

clip_image012[4]

clip_image013[4]

Now we can use a Group Policy to apply the certificate to all machines in the OU.

image

Open Group Policy Management Console and then add the bitlocker DRA.

Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.

Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent.

Note:

If a user wants to add additional Bitlocker DRA for his drive, he can add it by using the local security policies.

  1. Open Group Policy Management Editor (gpedit.msc) on Windows 7 client machine.
  2. Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
  3. Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent

 

image

Click Browse Folders and then select the exported certificate (.DER) file which we exported above.

clip_image019[4]

 

clip_image021[4]

After adding the DRA, go to windows 7 client machine.

After Adding the certificate, run ‘gpupdate /force’ on the client machine.

On Windows 7 client machine, open an elevated command prompt and use the following commands:

To get the protectors, run:

C:\>manage-bde -protectors -get f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: [New Volume]

All Key Protectors

    Numerical Password:
ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
Password:
526108-505340-456258-529034-347050-022297-147796-530310
Password:
ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
Smart Card (Certificate Based):
ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
Certificate Thumbprint:
09141e2c459016b5c51754503956c1d62efeee62
Data Recovery Agent (Certificate Based):
ID: {E1749014-6760-4501-9A48-58152A587279}
Certificate Thumbprint:
1e66a3476615d9a1e51f56aec49024bb34b8a688

To lock the drive, use:

C:>manage-bde -lock f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: is now locked

To unlock the device, using the certificate thumbprint, use:

C:\>manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume F:.

I hope the above information would be useful to everyone. Thanks for your time to read the above information.

More Information:

https://blogs.technet.com/b/bitlocker/

 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support