Share via


Setting up Data Recovery Agent for Bitlocker

You might have already read on TechNet and one of the other AskCore Blogson how to setup Data Recovery Agent (DRA) for BitLocker. However, how do you request a certificate from internal Certificate Authority (AD CS) to enable Data Recovery Agent (DRA). Naziya Shaik and I have written detailed instructions here and hope it is helpful.

So what is a Data Recovery Agent?

Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when used to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the data recovery agent to be able to unlock the drive. Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

Below are the steps needed.  From creating the certificate on the Certification Authority, to using it on Client machine.

The machines in use are:

1. Windows Server 2012 R2 DC and CA

2. Windows 10 Enterprise

If I go to Windows 10 and try to request a DRA certificate, we cannot see it as illustrated below:

image

In order for the client to see a DRA certificate, we need to copy the Key Recovery Agent template, add BitLocker Drive Encryption, and BitLocker Drive Recovery Agent from the application policies.

Here is how you do it.

1. On a CA, we created a duplicate of the Key Recovery Agent and named it BitLocker DRA.

image

2. Add the BitLocker Drive Encryption and BitLocker Data Recovery Agent by going into Properties -- > Extensions and edit Application Policies.

image

3. In the CA Management Console, go into Certificate Templates and add BitLocker DRAas the template to issue.

image

On a Windows 10 client, adding Certificate Manager to Microsoft Management Console:

1. Click Start, click Run, type mmc.exe, and then click OK.

2. In the File menu, click Add/Remove Snap-in.

3. In the Add/Remove Snap-in box, click Add.

4. In the Available Standalone Snap-ins list, click Certificates, and click Add.

5. Click My user account, and click Finish.

6. Then click OK.

Then under Certificates -- > Personal -- > Right click on Certificate -- > All Tasks -- > Request New Certificate

image

These are the Certificate Enrollment steps

image

Click Next andin our case, we have Active Directory Enrollment Policy

image

Click Nextand you will see the BitLocker DRA certificate which we created above.

image

Select BitLocker DRA and click Enroll.

This is what it looks like.

image

The next steps are pretty much the same as given in this Blog. We will need to export the certificate to be used across all the machines.

To accomplish this, right click on the certificate above and choose Export.

image

This will bring up the export wizard.

image

On the Export Private Key page, leave the default selection of No, do not export the private key.

image

On the Export File Format page, leave the default selection of DER encoded binary X.509 (.CER) .

image

The next window is specifying the location and file name of the certificate you are exporting.  In my case below, I chose to save it to the desktop.

image

Click Finish to complete the wizard.

image

The next step will be to import that certificate into our BitLocker GPO to be able to use. In this, I have a GPO called BitLocker DRA.

Under Computer Configuration -- > Policies -- > Windows Settings -- > Security Settings -- > Public Key Policies -- > Right click BitLocker Drive Encryption –> Add Data Recovery Agent

image

This will start the Add Data Recovery Agent wizard.

image

Click Browse Folders and point it to the location where you saved the certificate. My example above was from the desktop, so got from there.

image

Double click on the certificate to load it.

image

Click Next and Finish.

You will see the certificate imported successfully.

image

Additionally, make sure that you have the below GPO enabled.  In Group Policy Editor, expand Computer Configuration -- > Administrative Templates -- > Windows Components -- > BitLocker Drive Encryption and ensure Enabled is selected .

image

Running Manage-bdeto get the status on the client you enabled Bitlocker on, you will see Data Recovery Agent (Certificate Based) to show it is currently set.

image

Thanks,

Saurabh Koshta
Naziya Shaikh

Comments

  • Anonymous
    October 17, 2015
    I think you're missing a very important step - exporting the private key and escrowing it somewhere safe. What good is the recovery agent if you can't find the key later?
  • Anonymous
    October 17, 2015
    {rtf1ansiansicpg1252
    {fonttblf0fnilfcharset0 TimesNewRomanPSMT;}
    {colortbl;red255green255blue255;red0green0blue0;}
    deftab720
    pardpardeftab720partightenfactor0

    f0fs36 cf0 expnd0expndtw0kerning0
    outl0strokewidth0 strokec2 }
  • Anonymous
    November 19, 2015
    When i go to step 2 "2. Add the BitLocker Drive Encryption and BitLocker Data Recovery Agent by going into Properties -- > Extensions and edit Application Policies." There is no listing for those two extensions. How do I get them to appear? I am on an Enterprise Root CA.
  • Anonymous
    November 19, 2015
    Step 2 I neither option "2. Add the BitLocker Drive Encryption and BitLocker Data Recovery Agent by going into Properties -- > Extensions and edit Application Policies." Neither one of the extensions shows up at all. Is MBAM required to make those appear? I have a Enterprise Root CA.
  • Anonymous
    December 18, 2015
    Hi, like the others I'm only seeing the "BitLocker" extensions available when the BitLocker feature is installed on my test CA. I'm not wanting to install this feature on my production CA currently. Is there another way to add these extensions (can i manually add them with a specific OID, or something)? Thank you for your time.
  • Anonymous
    February 25, 2016
    if you arent seeing the option for the other 2 extensions you need to ensure that you have microsift bitlocker administration and monitoring tool I believe this can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=26796
  • Anonymous
    April 27, 2016
    The comment has been removed
  • Anonymous
    September 06, 2016
    So many missing steps. Virtually useless if you've never done this before.
  • Anonymous
    September 15, 2016
    If the BitLocker Drive Encryption and BitLocker Data Recovery Agent are missing from Extensions and edit Application Policies Install Bitlocker Drive Encryption from the Server Manager Add Roles and Features on the Server that houses the CA. Reboot and the options will then be there.
  • Anonymous
    October 21, 2017
    Hi I'm Francis Sthanzanawi.... I need a help. What can I do you recover my bitlocker key.. the ID is this DB80A69517E94632828BDD376D825052 I tried other mains and I couldn't... please.