How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives
Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “How to use Bitlocker Data Recovery Agent (DRA) to unlock Bitlocker Protected Drives
In Windows 7, we have option to unlock devices using Bitlocker DRA if you have a PKI Infrastructure in place.
What is a Data Recovery Agent?
Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.
Pre-requisites:
To use DRA for BitLocker, make sure the GPO for Unique ID is enabled.
To Configure the GPO,
1. Expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption.
“Provide Unique Identifiers for your organization”
Enable this Policy (see screenshot below).
For BitLocker Identification Field you can give your company name or any name.
Make sure BitLocker Identification Field and Allowed BitLocker Identification field are the same.
When do we use Bitlocker DRA?
In Windows 7, we introduced feature of Bitlocker DRA which can be used to unlock fixed data drives and removable data drives.
Generally when we encrypt the USB flash Drives or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.
When you connect to a Windows 7 client machine and Open Control Panel –> Bitlocker Drive Encryption, you will see all your Data drives.
Open Certificate Manager on the client computer.
Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.
Under the Certificate Templates, select Bitlocker DRA certificate template.
If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies.
NOTE: In case you do not see attributes listed under the Application polices, you should re-login to the domain controller using a schema admin account and install the Bitlocker feature. The ‘Bitlocker Drive Encryption’ and ‘Bitlocker Data Recovery Agent’ application policies will be listed upon installation of the bitlocker feature.
![clip_image004[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/4212.clip_image0044_23B7F031.jpg "clip_image004[4]")
![clip_image006[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/8424.clip_image0064_2B9F6CC6.jpg "clip_image006[4]")
Install the certificate on the computer.
![clip_image008[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/4743.clip_image0084_2952BE3D.jpg "clip_image008[4]")
Export the Certificate.
![clip_image010[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/2185.clip_image0104_7FAECD3C.jpg "clip_image010[4]")
Save the certificate to a location on your computer.
![clip_image012[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/4251.clip_image0124_3E046B23.jpg "clip_image012[4]")
![clip_image013[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/8867.clip_image0134_7FDB2AA4.png "clip_image013[4]")
Now we can use a Group Policy to apply the certificate to all machines in the OU.
Open Group Policy Management Console and then add the bitlocker DRA.
Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent.
Note:
If a user wants to add additional Bitlocker DRA for his drive, he can add it by using the local security policies.
- Open Group Policy Management Editor (gpedit.msc) on Windows 7 client machine.
- Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> Bitlocker Drive Encryption.
- Right click on Bitlocker Drive Encryption and then click Add Data Recovery Agent
Click Browse Folders and then select the exported certificate (.DER) file which we exported above.
![clip_image019[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/5557.clip_image0194_4BD29D1F.jpg "clip_image019[4]")
![clip_image021[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/59/75/metablogapi/8206.clip_image0214_72FCC087.jpg "clip_image021[4]")
After adding the DRA, go to windows 7 client machine.
After Adding the certificate, run ‘gpupdate /force’ on the client machine.
On Windows 7 client machine, open an elevated command prompt and use the following commands:
To get the protectors, run:
C:\>manage-bde -protectors -get f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: [New Volume]
All Key Protectors
Numerical Password:
ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
Password:
526108-505340-456258-529034-347050-022297-147796-530310
Password:
ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
Smart Card (Certificate Based):
ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
Certificate Thumbprint:
09141e2c459016b5c51754503956c1d62efeee62
Data Recovery Agent (Certificate Based):
ID: {E1749014-6760-4501-9A48-58152A587279}
Certificate Thumbprint:
1e66a3476615d9a1e51f56aec49024bb34b8a688
To lock the drive, use:
C:>manage-bde -lock f:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume F: is now locked
To unlock the device, using the certificate thumbprint, use:
C:\>manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume F:.
I hope the above information would be useful to everyone. Thanks for your time to read the above information.
More Information:
https://blogs.technet.com/b/bitlocker/
Manoj Sehgal
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
Comments
- Anonymous
January 01, 2003
I hope this isnt a stupid question.... My System did an automatic update an after it wouldn't load up.It attempted but didnt get pass the splash screen... So I had to restore my system back to the factory settings.. my problem now is that my ext drive is asking for a recovery I now dont have because it was on the computer before restoring.. Is there by any chance some one can help me unlock my drive that has this bit locker softwarre.. im not very cpu savvy. - Anonymous
January 09, 2011
This is a great article on how to setup a Bitlocker DRA Agent, but the title says how to Use... I have set up a recovery agent as per your instructions, added to the GPO etc. How do I then use the DRA account or certificate to recovery my locked disk from another machine. - Anonymous
January 20, 2011
Paul,On other machine, you need to have the certificate with the private key. If you do not have the provate key then you cannot unlock the device. - Anonymous
January 22, 2011
Hi Manoj,can You please tell me how can i do this:"If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."Adam - Anonymous
January 22, 2011
Hi Manoj,can You please tell me how can i do this:"If you do not have the bitlocker DRA template, you can copy the Key Recovery Agent template and then add Bitlocker Drive Encryption and Bitlocker Drive Recovery Agent from the application policies."Adam - Anonymous
January 26, 2011
Adam,Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.Give a new name to this template, say BitLocker DRA.In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog. - Anonymous
February 10, 2011
For keyprotectors i only got the Data Recovery Agent (Certificate Based) and TPM with PIN.Should it be possible to open a disk in the same way?I get Sertificate faild to unlock the drive. The thumbritnt is right, and i have the Certificate with the private key in my personal store..I have the Bitlocker enabled on a esata disk, wich i insert to the computer where i want to unlock it.James - Anonymous
March 05, 2011
due to some error my bitlocker recovery ki damage.i knew the bitlocker idetification number.how can i open device.............plz tell - Anonymous
March 14, 2011
This software is good,but i still believe apple site software for data recovery mac www.apple.com/.../filerecovery.html - Anonymous
April 04, 2011
Really a nice post and the software you have mentioned is good. Due to a past experienced of data loss I am using stellar data recovery software for my PC because using this software I recovered all my lost data. - Anonymous
April 05, 2011
Please i can't clearly do that ur explanation to Adam,''Open Certificate Authority on your server where you have CA role installed and then select Certificate Templates, Right click and select Manage.In list of default templates, select Key Recoivery Agent, Right Click and select Duplicate template.Give a new name to this template, say BitLocker DRA.In Properties of Template, under Extensions add BitLocker DRA as shown in steps in blog.''so please can u help me with example images ? thx u - Anonymous
May 22, 2011
hey manoj,can u help me out with this .my HDD needs a recovery key for the Bitlocker, whereas i have formatted the PC. now the key is gone . The only thing I have is recovery Key identification.I dont want to format the HDD, but am not able to use it too as it is already encrypted.Any solutions ? - Anonymous
June 21, 2012
i have lost my recovery key & my id is -139B30DE-DDC5-442A-B62B-2A1920C1830D - Anonymous
June 21, 2012
The comment has been removed - Anonymous
August 30, 2012
The comment has been removed - Anonymous
October 15, 2012
BitLocker recoveryKey identification ,4A00E12C-8AD1-4ED7-AFE8-D6FB602EEE13 Please can u help me Thank - Anonymous
November 17, 2012
Tnx... - Anonymous
November 28, 2012
I accidentally deleted a bitlocker encrypted partition in Windows 7 Ultimate. Now it appears as "Unallocated" space in Disk Management. How do I get Windows 7 to recognise the partition again? - Anonymous
January 01, 2013
how to unlock and remove the bit locker recovery key from my usb - Anonymous
January 09, 2013
Hello,great Article. But i have also Problems to create a Key Recovery Agent with the "BitLocker Drive Encryption" and "Bitlocker Data Recovery Agent" Extension. I can't addf those extensions to my duplicated template, they're not listed under extensions... any ideas? - Anonymous
April 17, 2013
how to unlock bitlcker,i have id - Anonymous
May 14, 2013
pls support for recovery bitlocker automatic lock systme - Anonymous
October 30, 2013
Great article. One issue though is that I've installed the bitlocker drive encryption feature on both DCs that our internal MS CA is member of, and the two new application policies are not showing up. I used a schema admins account as well. Any suggestions?Also, if we have multiple domains in the forest, do I need to install the bitlocker drive encryption feature on all the DCs in order to use bitlocker in all the domains?ThanksJoe - Anonymous
December 03, 2013
dear sr please help me i forget my bit locker key and password please help me sr my all impotent data in the drive . so please reply to this email id psuhel46@yahoo.in, suhel.mca46@gmail.com - Anonymous
January 25, 2014
The comment has been removed - Anonymous
January 25, 2014
www.datasavers.com.sg Offering good services. - Anonymous
February 04, 2014
dear sir please help me i forget my bit locker key and password please help me sr my all impotent data in the drive . so please reply to this email id ripatkhan@gmail.com - Anonymous
June 03, 2014
Hello manoj, I have forgotten the password for my Toshiba external Hard Drive and I also don't have the recovery key (rather there was no option of recovery key saving or any mention of recovery key when I encrypted the drive). What can I do? Plz help! Thanks - Anonymous
August 29, 2014
Hello Manoj, is it the same procedure for Windows 8 and 8.1 on a domain? also do you know if it would still be FIPS 140-2 compliant? - Anonymous
September 23, 2014
The comment has been removed - Anonymous
October 21, 2014
Great to share Bitlocker Data Recovery. Our data recovery firm in Bristol - http://goo.gl/OVQxyB - Anonymous
November 07, 2014
The comment has been removed - Anonymous
November 14, 2014
The comment has been removed - Anonymous
November 24, 2014
Nice configuration tips. http://goo.gl/elxUyu - Anonymous
January 21, 2015
The comment has been removed - Anonymous
February 25, 2015
I have been using Bitlocker Data Recovery for one years. It is really helpful software for your data recovery solutions. It recovers almost ninety five percent of data from your corrupt storage media device. - Anonymous
April 13, 2015
Really great post and Thanks..
see : http://www.geeksonsite.co.nz/ - Anonymous
January 16, 2016
I have a drive I locked through windows 7 . bit locker and I upgraded to windows 10.and now my drive want unlock. and I placed the recovery file on the same drive before I upgraded to windows 10 . I need to unlock the drive and get my data out of it
ahmadfaraz81@hotmail.com - Anonymous
February 28, 2016
Hi all...This is indeed an interesting post! I've spent a lot of time with Bit Locker and I think it has addressed a big need in our industry. I have attempted all these things. I have some questions to ask like Is the Bit Locker recovery information stored in plain text in AD DS? I also want to know that Can I access my Bit Locker-protected drive if I insert the hard disk into a different computer? Keep Posting! - Anonymous
March 10, 2016
You need to need to enable Bit-Locker on Certificate Authority Server then only you will able to view Bit-Locker Drive Encryption and Bit-Locker Drive Recovery Agent from the application policies during duplicate template creation process.- Anonymous
March 10, 2016
You need to need to enable Bit-Locker drive encryption feature on Certificate Authority Server.
- Anonymous