Windows 7 / Networking

Data recovery agent support

You need to know how to configure BitLocker and BitLocker To Go so that a DRA can be used to recover BitLocker encrypted volumes.

Typically you use either a 48-digit recovery password or a 256-bit recovery key that is unique to the BitLocker-protected volume to recover data from a BitLocker-protected drive. You can use a DRA to recover information even if the recovery password is lost. The advantage of a DRA is that you need to use only one certificate to perform recovery rather than having to extract a specific recovery key. To configure BitLocker to support a DRA, perform the following steps:

  1. Specify the user account enrolled with a DRA certificate to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Bit-Locker Drive Encryption node.
  2. Configure the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Provide The Unique Identifiers For Your Organization policy. BitLocker can manage and update DRAs only when the identification field on the drive matches the value configured in this policy.
  3. Configure the following policies to allow particular volume types to be recoverable with a DRA:
    • Choose How BitLocker-Protected Operating System Drives Can Be Recovered
    • Choose How BitLocker-Protected Fixed Drives Can Be Recovered
    • Choose How BitLocker-Protected Removable Drives Can Be Recovered
  4. To verify that a BitLocker-protected volume is configured for recovery using a DRA, run the manage-bde -protectors -get command. The output of this command will display the certificate thumbprint associated with the DRA.

If you have enabled BitLocker on a volume prior to configuring a DRA, you can use the manage-bde -SetIdentifier command to make it recoverable via DRA. To recover a BitLocker-encrypted volume, ensure that the DRA certificate is present in the certificate store and then run the manage-bde.exe -unlock <drive> -Certificate -ct <certificate thumbprint> command from an elevated command prompt.

Tip:
Remember that it is possible to recover BitLocker-protected volumes using a 48-digit recovery password, a 256-bit recovery key, or a specially configured DRA.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Mobile Computing
  2. Managing Trusted Platform Module (TPM) PINs
  3. Data recovery agent support
  4. Configure DirectAccess
  5. Network infrastructure requirements
  6. Configure mobility options
  7. Transparent caching
  8. Configure remote connections
  9. Enabling a VPN Reconnect
  10. NAP quarantine remediation