- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
BitLocker data recovery agents are users who are capable of unlocking drives if the owner of the computer or removable drive has forgotten their password and does not have a key to access their data.
To set up a recovery agent, you need a certificate. With its public key, a protector is added to the drives. To unlock it, the agent user must import the certificate into the local store of the computer in question.
By default, a Windows CA does not contain a template for BitLocker data recovery. It is therefore necessary to create one based on the Key Recovery Agent template.
Creating a certificate template
The first step is to open the MMC and load the snap-in Certificate Templates. From the Key Recovery Agent context menu, select Duplicate Template.
In the subsequent dialog box, enter a descriptive name for the template under the General tab and change the validity period if necessary.
If you wish, you can select the Publish certificate in Active Directory option, because later on, the wizard for creating the recovery agent GPO will offer to read the certificate from there.
Then open the Extensions tab, click the Edit button, and in the next window, click Add. From the list that appears, select BitLocker Data Recovery Agent and BitLocker Drive Encryption.
Another customization is necessary under the Issuance Requirements tab. There, you disable the CA certificate manager approval option, which is selected by default.
Finally, under Security, adjust the permissions as needed, depending on which users should be able to request a certificate based on this template.
Issuing the template
After saving the new template, you have to activate it. To do this, open the Certification Authority snap-in in the MMC and select New > Certificate Template to issue from the context menu of the Certificate Templates folder.
In the list that appears, select the new template for BitLocker Recovery Agent and confirm it with OK.
Issuing the certificate
Now you can request a certificate based on this template. To do so, open certmgr.msc and select All Tasks > Request New Certificate from the context menu of Certificates – Current User > Personal.
You can simply confirm the first two dialog boxes. For the third, select the template that you created earlier. If you want, you can open Details > Properties and enter a meaningful display name. Click Enroll to complete the process.
Exporting the certificate
For the group policy to activate a recovery agent, you need to export the certificate without the private key. For this purpose, select the just issued certificate in certmgr.msc and start the command All Tasks > Export from its context menu.
After the Welcome page, you will get to the dialog box where the option No, do not export the private key is already enabled.
Leave it like this and also keep the preselected DER encoded-binary X.509 (.CER) format on the next page.
Finally, specify the path and name of the file where you want to save the certificate and complete the process.
To unlock a drive, a recovery agent needs the certificate, including the private key. For this purpose, repeat the procedure just described, but select the option to export the private key. For file format, only PKCS #12 (.PFX) is available in this case.
Subscribe to 4sysops newsletter!
Before creating the file, you have to set a password to protect the private key. It goes without saying that you should use a strong password here and store the certificate in a safe place afterwards.