Using Data Recovery Agents with BitLocker
Applies To: Windows 7, Windows Server 2008 R2
Data recovery agents are accounts that are able to decrypt BitLocker-protected drives by using their smart card certificates and public keys. Recovery of a BitLocker-protected drive can be accomplished by a data recovery agent that has been configured with the proper certificate. Before a data recovery agent can be configured for a drive, you must add the data recovery agent to Public Key Policies\BitLocker Drive Encryption in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer.
Configuring BitLocker to use data recovery agents
To use data recovery agents with BitLocker, you must have configured the BitLocker identification field and identified the data recovery agents in the Public Key Policies Group Policy settings for BitLocker Drive Encryption. The following procedures describe how to perform these tasks:
To configure an identification field
To assign a BitLocker identification field to a BitLocker-protected drive
To verify the identification field has been set on a BitLocker-protected drive
To configure a data recovery agent
To list data recovery agents configured for a BitLocker-protected drive
Local Administrators is the minimum group membership required to complete these procedures.
To configure an identification field
In the GPMC or Local Group Policy Editor under Computer Configuration\Administrative Templates\Windows Components, click BitLocker Drive Encryption to show the policy settings.
In the details pane, double-click the Provide the unique identifiers for your organization policy setting.
Click Enable. In BitLocker Identification Field, enter the identification field for your organization.
Click OK to apply and close the policy setting.
To assign a BitLocker identification field to a BitLocker-protected drive
By default, BitLocker identification fields are associated with BitLocker-protected drives when BitLocker protection is turned on for the drive. This procedure is provided for use in cases where the decision to use a BitLocker identification field was made after the drive was encrypted by BitLocker. BitLocker identification fields are required to use data recovery agents to recover BitLocker-protected drives.
Log on as an administrator to the computer where you want to assign the identification field.
Open a Command Prompt window as an administrator.
To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
At the command prompt, type the following command, replacing <drive letter> by the drive letter identifier (for example, E:) of the BitLocker-protected drive.
manage-bde -SetIdentifier <drive letter>
The Manage-bde command-line tool will set the identification field to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
After the value has been set, Manage-bde will display a message informing you that the drive identifier has been set.
Note
Drives that were encrypted with BitLocker before an identification field was configured will not have data recovery agents assigned to them due to the absence of an identification field. It is possible to use Windows Management Instrumentation (WMI) or the Manage-bde command-line tool to set an identification field on a previously encrypted drive. When using Manage-bde, the identification field will be set to the value specified in the Provide the unique identifiers for your organization policy setting. Identification fields are also used to determine if updated data recovery agent information should be written to the drive and to determine which organization a drive belongs to when the Do not allow write access to devices configured in another organization policy setting is enabled. Changes to the identification field will affect both of these features.
To verify the identification field has been set on a BitLocker-protected drive
Drives that are encrypted with BitLocker after an identification field is configured will be assigned the identification field specified in the Provide the unique identifiers for your organization Group Policy setting and may have data recovery agents assigned to them. If you are unsure whether a drive has been assigned an identification field, you can use Manage-bde to query the status of a drive. The returned information will include the identification field.
Log on as an administrator to the computer where you want to determine the identification field.
Open a Command Prompt window as an administrator.
To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
At the command prompt, type the following command, replacing <drive letter> by the drive letter identifier (for example E:) of the BitLocker-protected drive.
manage-bde -status <drive letter>
The Manage-bde command-line tool provides information about the settings of the drive. The following is an example of the information returned.
E:\>manage-bde -status e: BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume E: [] [Data Volume] Size: 1.93 GB BitLocker Version: Windows 7 Conversion Status: Encryption in Progress Percentage Encrypted: 27% Encryption Method: AES 128 with Diffuser Protection Status: Protection Off Lock Status: Unlocked Identification Field: ContosoBitLockerSelfHost Automatic Unlock: Disabled Key Protectors: PassPhrase Numerical Password
To configure a data recovery agent
Open either the GPMC or the Local Group Policy Editor.
In the console tree under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption.
Click Add Data Recovery Agent to start the Add Recovery Agent Wizard. Click Next.
On the Select Recovery Agents page, click Browse Folders, and select a .cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery agents list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click Next.
The Completing the Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click Finish to confirm the data recovery agents, and close the wizard.
After the wizard closes, the data recovery agents appear in the details pane.
To list data recovery agents configured for a BitLocker-protected drive
If a data recovery agent has been configured and an identification field has been set and assigned to a drive, the specific drive will be assigned the data recovery agent that was configured in the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Group Policy setting. You can use the Manage-bde command-line tool to display a list of the existing key protectors on a BitLocker-protected drive. This list includes certificate-based protectors.
Log on as an administrator to the computer where you want to list the configured data recovery agents.
Open a Command Prompt window as an administrator.
To do this, click Start, type cmd in the Search programs and files box, right-click cmd.exe, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
At the command prompt, type the following command, replacing <drive letter> by the drive letter identifier (for example E:) of the BitLocker-protected drive.
manage-bde -protectors -get <drive letter>
The Manage-bde command-line tool provides information about the key protectors configured for the drive. The following is an example of the information returned.
E:\>manage-bde -protectors -get E: BitLocker Drive Encryption: Configuration Tool version 6.1.7600 Copyright (C) Microsoft Corporation. All rights reserved. Volume E: [] All Key Protectors PassPhrase: ID: {61DC1871-3544-4438-A153-7F1CE14297B8} Numerical Password: ID: {24B0AA32-F8D0-40BA-BB05-73A800324C09} Password: 461109-608201-413820-485342-181588-463056-430617-501391 Data Recovery Agent (Certificate Based): ID: {3F81C18D-A685-4782-8F55-99C6452980E7} Certificate Thumbprint: 9de688607336294a52b445d30d1eb92f0bec1e78
In this example, if the private key is available in the local certificate store, the administrator could use the following Manage-bde command to unlock the drive by using the data recovery agent protector as shown in the following example.
manage-bde -unlock E: -Certificate -ct 9de688607336294a52b445d30d1eb92f0bec1e78