- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
BitLocker offers a number of ways to unlock a volume, including TPM plus PIN, passwords, SIDs of Active Directory accounts, or recovery keys. Another option is recovery agents, who can activate a BitLocker encrypted volume with the help of a certificate.
Recovery agents for data drives
Which option you choose depends not only on the requirements of your own environment, but also on the type of media. For example, recovery agents are only suitable for data drives, not for system drives. The latter can only be unlocked in this way if the computer is not booted from this volume and is treated like a data drive.
In corporate networks, recovery agents will probably be considered an alternative to storing recovery keys in Active Directory. The latter means that a separate key must be stored in AD for each volume on which BitLocker is activated. In environments with a large number of computers, this can lead to a considerable amount of data for AD replication.
The certificate for recovery agents, on the other hand, must be stored in the local store of each computer on which you want to unlock a drive. Therefore, this technique is very suitable for the helpdesk to unlock encrypted USB sticks from employees who no longer have access to their data.
Certificate for recovery agents
To set up a recovery agent, you need a certificate issued specifically for this purpose. Therefore you need to create a customized template in a Windows CA (see Issuing a Certificate for BitLocker Recovery Agent).
After exporting the certificate with and without the private key, you can start configuring the group policies. The GPO should be linked to the OUs containing the computers on whose drives the certificate-based protector is to be written.
Group policy for public key
For the first setting, go to Computer configuration > Policies > Windows Settings > Security Settings > Public Key Policies. From the context menu of BitLocker Drive Encryption, run the command Add Data Recovery Agent.
This starts a wizard, whose welcome screen you can skip. In the following dialog box, load the certificate, either from Active Directory (Browse Directory button) or from the exported .cer file. If you choose the second option, the value for User is set to USER_UNKNOWN.
In the next dialog box, complete the process by confirming the previously entered data. Of course, it is possible to repeat the process as many times as you like and thus set up multiple agents.
Settings for BitLocker
The next step is to open the branch under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption. Here, activate the setting Provide the unique identifiers for your organization and enter your preferred ID. This can be any value up to 260 characters, and it is case-sensitive.
Finally, change from here to the folder for the type of drive that you want to unlock with an agent, in our example to Removable Data Drives. There you enable the setting Choose how BitLocker-protected removable disks can be recovered. In addition, check the Allow data recovery agent option.
As you can see here, recovery keys can still be stored in Active Directory after recovery agents are defined. This means both unlocking techniques can be used side by side.
Show Protector on drives
After applying the GPO to the desired machines, all USB drives will receive the certificate-based protector for the agent when BitLocker is turned on. This can be verified by the following command:
manage-bde -protectors -get <drive letter>:
Unlocking the data drive
In order for a recovery agent to unlock a disk, its certificate, including the private key, must be installed in the local store. This is automatically the case if you requested it from that PC.
Otherwise, it must import it from the .pfx. In certmgr.msc, there is a command for this in the My Certificates context menu under All Tasks.
Then take the thumbprint of the certificate from the above call to manage-bde and pass it to one more call of manage-bde:
Subscribe to 4sysops newsletter!
manage-bde -unlock <drive letter>: -cert -ct <thumbprint>
If the associated certificate is present on this PC, the drive should now be unlocked.