BitLocker Data Recovery Agent to unlock BitLocker encrypted drive

Posted by Tim to BitLocker Recovery on April 26th, 2014

BitLocker Data Recovery Agent

BitLocker data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector, so those individuals can use their credentials to unlock BitLocker-protected drives. BitLocker Data recovery agents can be used to recover BitLocker-protected operating system drives, fixed data drives, and removable data drives. However, when using to recover operating system drives, the operating system drive must be mounted on another computer as a data drive for the BitLocker data recovery agent to be able to unlock the drive. BitLocker Data recovery agents are added to the drive when it is encrypted and can be updated after encryption occurs.

When do we use BitLocker Data Recovery Agent?

In Windows 7, we introduced feature of BitLocker Data Recovery Agent which can be used to unlock fixed data drive and removable data drive.

Generally when we encrypt the USB flash Drive or fixed data drive, we give a password to unlock the drive. By using a file based certificate we get an additional protector for the drive and we can use it to unlock the drive.

When you connect to a Windows 7 client machine and Open Control Panel –> BitLocker Drive Encryption, you will see all your data drive.

Open Certificate Manager on the client computer.

Expand Personal and click Certificates. Right Click on Certificates and Select All Tasks and then select Request New certificate.

Under the Certificate Templates, select BitLocker Data Recovery Agent certificate template. If you do not have the BitLocker Data Recovery Agent template, you can copy the Key Recovery Agent template and then add BitLocker Drive Encryption and BitLocker Drive Recovery Agent from the application policies.

Install the certificate on the computer.

Export the Certificate.

Save the certificate to a location on your computer.

Now we can use a Group Policy to apply the certificate to all machines in the OU.

Open Group Policy Management Console and then add the BitLocker Data Recovery Agent.

Expand Computer Configuration –> Windows Settings –> Security Settings –> Public Key Policies –> BitLocker Drive Encryption.

Right click on BitLocker Drive Encryption and then click Add BitLocker Data Recovery Agent.

After adding the BitLocker Data Recovery Agent, go to Windows 7 client machine.

After Adding the certificate, run ‘gpupdate /force’ on the client machine.

On Windows 7 client machine, open an elevated command prompt and use the following commands:

To get the protectors, run:

C:\>manage-bde -protectors -get D:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume D: [New Volume]

All Key Protectors

Numerical Password:
ID: {FB4FF4B1-AAA3-4BB6-937E-80E7241CA2F2}
ID: {96C170CF-65AF-42A7-BEF8-0AD21667C02B}
Smart Card (Certificate Based):
ID: {7BBF31F5-DEBD-4C24-B76F-012855B4EF39}
Certificate Thumbprint:
Data Recovery Agent (Certificate Based):
ID: {E1749014-6760-4501-9A48-58152A587279}
Certificate Thumbprint:

How to lock BitLocker encrypted drive?

C:>manage-bde -lock D:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Volume D: is now locked

How to unlock BitLocker encrypted drive?

C:\>manage-bde -unlock D: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
The certificate successfully unlocked volume D:.

How to recover lost data from BitLocker encrypted drive?

As BitLocker recovery software, iBoysoft BitLocker Recovery is a professional forensic tool to recover lost data from BitLocker encrypted drive as long as you have original password or BitLocker recovery password/key.

Step 1: Download, install and launch iBoysoft BitLocker Recovery on your computer.

BitLocker data recovery software

Select the BitLocker encrypted drive which you want to recover lost data from

Step 2: Enter 48-digit BitLocker recovery key or password.

Step 3: Scan the lost files from BitLocker encrypted drive.

Step 4: After your files are found, please select them and click "Recover" to save.

Recover data from BitLocker encrypted drive

Related articles: