If a user can no longer access an encrypted drive, for example because they have forgotten the password, then the drive must be unlocked using other means. These include recovery agents that can unlock BitLocker volumes using a certificate.

BitLocker offers a number of ways to unlock a volume, including TPM plus PIN, passwords, SIDs of Active Directory accounts, or recovery keys. Another option is recovery agents, who can activate a BitLocker encrypted volume with the help of a certificate.

Recovery agents for data drives

Which option you choose depends not only on the requirements of your own environment, but also on the type of media. For example, recovery agents are only suitable for data drives, not for system drives. The latter can only be unlocked in this way if the computer is not booted from this volume and is treated like a data drive.

In corporate networks, recovery agents will probably be considered an alternative to storing recovery keys in Active Directory. The latter means that a separate key must be stored in AD for each volume on which BitLocker is activated. In environments with a large number of computers, this can lead to a considerable amount of data for AD replication.

The certificate for recovery agents, on the other hand, must be stored in the local store of each computer on which you want to unlock a drive. Therefore, this technique is very suitable for the helpdesk to unlock encrypted USB sticks from employees who no longer have access to their data.

Certificate for recovery agents

To set up a recovery agent, you need a certificate issued specifically for this purpose. Therefore you need to create a customized template in a Windows CA (see Issuing a Certificate for BitLocker Recovery Agent).

After exporting the certificate with and without the private key, you can start configuring the group policies. The GPO should be linked to the OUs containing the computers on whose drives the certificate-based protector is to be written.

Group policy for public key

For the first setting, go to Computer configuration > Policies > Windows Settings > Security Settings > Public Key Policies. From the context menu of BitLocker Drive Encryption, run the command Add Data Recovery Agent.

Adding public key for a recovery agent in the GPO editor

Adding public key for a recovery agent in the GPO editor

This starts a wizard, whose welcome screen you can skip. In the following dialog box, load the certificate, either from Active Directory (Browse Directory button) or from the exported .cer file. If you choose the second option, the value for User is set to USER_UNKNOWN.

Read the public key from the exported certificate or Active Directory

Read the public key from the exported certificate or Active Directory

In the next dialog box, complete the process by confirming the previously entered data. Of course, it is possible to repeat the process as many times as you like and thus set up multiple agents.

Settings for BitLocker

The next step is to open the branch under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Here, activate the setting Provide the unique identifiers for your organization and enter your preferred ID. This can be any value up to 260 characters, and it is case-sensitive.

The use of recovery agents requires that you mark the disks with the organization ID

The use of recovery agents requires that you mark the disks with the organization ID

Finally, change from here to the folder for the type of drive that you want to unlock with an agent, in our example to Removable Data Drives. There you enable the setting Choose how BitLocker-protected removable disks can be recovered. In addition, check the Allow data recovery agent option.

Allow agents to restore BitLocker drives

Allow agents to restore BitLocker drives

As you can see here, recovery keys can still be stored in Active Directory after recovery agents are defined. This means both unlocking techniques can be used side by side.

Show Protector on drives

After applying the GPO to the desired machines, all USB drives will receive the certificate-based protector for the agent when BitLocker is turned on. This can be verified by the following command:

manage-bde -protectors -get <drive letter>:

Unlocking the data drive

In order for a recovery agent to unlock a disk, its certificate, including the private key, must be installed in the local store. This is automatically the case if you requested it from that PC.

Otherwise, it must import it from the .pfx. In certmgr.msc, there is a command for this in the My Certificates context menu under All Tasks.

A recovery agent unlocking a drive with manage bde and the certificate thumbprint

A recovery agent unlocking a drive with manage bde and the certificate thumbprint

Then take the thumbprint of the certificate from the above call to manage-bde and pass it to one more call of manage-bde:

Subscribe to 4sysops newsletter!

manage-bde -unlock <drive letter>: -cert -ct <thumbprint>

If the associated certificate is present on this PC, the drive should now be unlocked.

avataravatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account