How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives

 

Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Bitlocker Data Recovery Agent (DRA) to unlock Bitlocker Protected Drives

In Windows 7, we have option to unlock devices using Bitlocker DRA if you have a PKI Infrastructure in place.

What is a Data Recovery Agent?

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

Pre-requisites:

 

To use DRA for BitLocker, make sure the GPO for Unique ID is enabled.

 

To Configure the GPO,

1. Expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption.

“Provide Unique Identifiers for your organization”

 

Enable this Policy (see screenshot below).

 

For BitLocker Identification Field you can give your company name or any name.

 

Make sure BitLocker Identification Field and Allowed BitLocker Identification field are the same.

 

When do we use Bitlocker DRA?

In Windows 7, we introduced feature of Bitlocker DRA which can be used to unlock fixed data drives and removable data drives.

Generally when we encrypt the USB flash Drives or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.

When you connect to a Windows 7 client machine and Open Control Panel –> Bitlocker Drive Encryption, you will see all your Data drives.

Open Certificate Manager on the client computer.

Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.

Under the Certificate Templates, select Bitlocker DRA certificate template.

If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies.

NOTE: In case you do not see attributes listed under the Application polices, you should re-login to the domain controller using a schema admin account and install the Bitlocker feature. The ‘Bitlocker Drive Encryption’ and ‘Bitlocker Data Recovery Agent’ application policies will be listed upon installation of the bitlocker feature.

 

Install the certificate on the computer.

Export the Certificate.

Save the certificate to a location on your computer.

Now we can use a Group Policy to apply the certificate to all machines in the OU.

Open Group Policy Management Console and then add the bitlocker DRA.

Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.

Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent.

Note:

If a user wants to add additional Bitlocker DRA for his drive, he can add it by using the local security policies.

1. Open Group Policy Management Editor (gpedit.msc) on Windows 7 client machine.
2. Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
3. Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent

 

Click Browse Folders and then select the exported certificate (.DER) file which we exported above.

 

After adding the DRA, go to windows 7 client machine.

After Adding the certificate, run ‘gpupdate /force’ on the client machine.

On Windows 7 client machine, open an elevated command prompt and use the following commands:

To get the protectors, run:

C:\>manage-bde -protectors -get f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: [New Volume]

All Key Protectors

    Numerical Password:
ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
Password:
526108-505340-456258-529034-347050-022297-147796-530310
Password:
ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
Smart Card (Certificate Based):
ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
Certificate Thumbprint:
09141e2c459016b5c51754503956c1d62efeee62
Data Recovery Agent (Certificate Based):
ID: {E1749014-6760-4501-9A48-58152A587279}
Certificate Thumbprint:
1e66a3476615d9a1e51f56aec49024bb34b8a688

To lock the drive, use:

C:>manage-bde -lock f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: is now locked

To unlock the device, using the certificate thumbprint, use:

C:\>manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume F:.

I hope the above information would be useful to everyone. Thanks for your time to read the above information.

More Information:

https://blogs.technet.com/b/bitlocker/

 

Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support

Comments

• Anonymous
  January 01, 2003
  I hope this isnt a stupid question.... My System did an automatic update an after it wouldn't load up.It attempted but didnt get pass the splash screen... So I had to restore my system back to the factory settings.. my problem now is that my ext drive is asking for a recovery I now dont have because it was on the computer before restoring.. Is there by any chance some one can help me unlock my drive that has this bit locker softwarre.. im not very cpu savvy.
• Anonymous
  January 09, 2011
  This is a great article on how to setup a Bitlocker DRA Agent, but the title says how to Use... I have set up a recovery agent as per your instructions, added to the GPO etc. How do I then use the DRA account or certificate to recovery my locked disk from another machine.
• Anonymous
  January 20, 2011
  Paul,On other machine, you need to have the certificate with the private key. If you do not have the provate key then you cannot unlock the device.
• Anonymous
  January 22, 2011
  Hi Manoj,can You please tell me how can i do this:"If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."Adam
• Anonymous
  January 22, 2011
  Hi Manoj,can You please tell me how can i do this:"If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."Adam
• Anonymous
  January 26, 2011
  Adam,Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.Give a new name to this template, say BitLocker DRA.In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog.
• Anonymous
  February 10, 2011
  For keyprotectors i only got the  Data Recovery Agent (Certificate Based) and TPM with PIN.Should it be possible to open a disk in the same way?I get Sertificate faild to unlock the drive. The thumbritnt is right, and i have the Certificate with the private key in my personal store..I have the Bitlocker enabled on a esata disk, wich i insert to the computer where i want to unlock it.James
• Anonymous
  March 05, 2011
  due to some error my bitlocker recovery ki damage.i knew the bitlocker idetification number.how can i open device.............plz tell
• Anonymous
  March 14, 2011
  This software is good,but i still believe apple site software for data recovery mac www.apple.com/.../filerecovery.html
• Anonymous
  April 04, 2011
  Really a nice post and the software you have mentioned is good. Due to a past experienced of data loss I am using stellar data recovery software for my PC because using this software I recovered all my lost data.
• Anonymous
  April 05, 2011
  Please i can't clearly do that ur explanation to Adam,''Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.Give a new name to this template, say BitLocker DRA.In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog.''so please can u help me with example images ? thx u
• Anonymous
  May 22, 2011
  hey manoj,can u help me out with this .my HDD  needs a recovery key for the Bitlocker, whereas i have formatted the PC. now the key is gone . The only thing I have is recovery Key identification.I dont want to format the HDD, but am not able to use it too as it is already encrypted.Any solutions ?
• Anonymous
  June 21, 2012
  i have lost my recovery key & my id is -139B30DE-DDC5-442A-B62B-2A1920C1830D
• Anonymous
  June 21, 2012
  The comment has been removed
• Anonymous
  August 30, 2012
  The comment has been removed
• Anonymous
  October 15, 2012
  BitLocker recoveryKey identification ,4A00E12C-8AD1-4ED7-AFE8-D6FB602EEE13 Please can u help me Thank
• Anonymous
  November 17, 2012
  Tnx...
• Anonymous
  November 28, 2012
  I accidentally deleted a bitlocker encrypted partition in Windows 7 Ultimate. Now it appears as "Unallocated" space in Disk Management. How do I get Windows 7 to recognise the partition again?
• Anonymous
  January 01, 2013
  how to unlock and remove the bit locker recovery key from my usb
• Anonymous
  January 09, 2013
  Hello,great Article. But i have also Problems to create a Key Recovery Agent with the "BitLocker Drive Encryption" and "Bitlocker Data Recovery Agent" Extension. I can't addf those extensions to my duplicated template, they're not listed under extensions... any ideas?
• Anonymous
  April 17, 2013
  how to unlock bitlcker,i have id
• Anonymous
  May 14, 2013
  pls support for recovery bitlocker  automatic lock systme
• Anonymous
  October 30, 2013
  Great article.  One issue though is that I've installed the bitlocker drive encryption feature on both DCs that our internal MS CA is member of, and the two new application policies are not showing up.  I used a schema admins account as well.  Any suggestions?Also, if we have multiple domains in the forest, do I need to install the bitlocker drive encryption feature on all the DCs in order to use bitlocker in all the domains?ThanksJoe
• Anonymous
  December 03, 2013
  dear sr please help me i forget my bit locker key and password  please help me sr my all impotent data in the drive . so please reply to this email id   psuhel46@yahoo.in, suhel.mca46@gmail.com
• Anonymous
  January 25, 2014
  The comment has been removed
• Anonymous
  January 25, 2014
  www.datasavers.com.sg Offering good services.
• Anonymous
  February 04, 2014
  dear sir please help me i forget my bit locker key and password please help me sr my all impotent data in the drive . so please reply to this email id ripatkhan@gmail.com
• Anonymous
  June 03, 2014
  Hello manoj, I have forgotten the password for my Toshiba external Hard Drive and I also don't have the recovery key (rather there was no option of recovery key saving or any mention of recovery key when I encrypted the drive). What can I do? Plz help! Thanks
• Anonymous
  August 29, 2014
  Hello Manoj, is it the same procedure for Windows 8 and 8.1 on a domain? also do you know if it would still be FIPS 140-2 compliant?
• Anonymous
  September 23, 2014
  The comment has been removed
• Anonymous
  October 21, 2014
  Great to share Bitlocker Data Recovery. Our data recovery firm in Bristol - http://goo.gl/OVQxyB
• Anonymous
  November 07, 2014
  The comment has been removed
• Anonymous
  November 14, 2014
  The comment has been removed
• Anonymous
  November 24, 2014
  Nice configuration tips. http://goo.gl/elxUyu
• Anonymous
  January 21, 2015
  The comment has been removed
• Anonymous
  February 25, 2015
  I have been using Bitlocker Data Recovery for one years. It is really helpful software for your data recovery solutions. It recovers almost ninety five percent of data from your corrupt storage media device.
  
• Anonymous
  April 13, 2015
  Really great post and Thanks..
  see : http://www.geeksonsite.co.nz/
• Anonymous
  January 16, 2016
  I have a drive I locked through windows 7 . bit locker and I upgraded to windows 10.and now my drive want unlock. and I placed the recovery file on the same drive before I upgraded to windows 10 . I need to unlock the drive and get my data out of it
  ahmadfaraz81@hotmail.com
• Anonymous
  February 28, 2016
  Hi all...This is indeed an interesting post! I've spent a lot of time with Bit Locker and I think it has addressed a big need in our industry. I have attempted all these things. I have some questions to ask like Is the Bit Locker recovery information stored in plain text in AD DS? I also want to know that Can I access my Bit Locker-protected drive if I insert the hard disk into a different computer? Keep Posting!
• Anonymous
  March 10, 2016
  You need to need to enable Bit-Locker on Certificate Authority Server then only you will able to view Bit-Locker Drive Encryption and Bit-Locker Drive Recovery Agent from the application policies during duplicate template creation process.
  • Anonymous
    March 10, 2016
    You need to need to enable Bit-Locker drive encryption feature on Certificate Authority Server.