|
|
|
@ -1,6 +1,6 @@
|
|
|
|
---
|
|
|
|
---
|
|
|
|
title: BitLocker recovery overview
|
|
|
|
title: BitLocker recovery overview
|
|
|
|
description: Learn about the BitLocker recovery process, how to determine root cause of failed automatic unlocks, and how to restore access to a locked drive.
|
|
|
|
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
|
|
|
|
ms.collection:
|
|
|
|
ms.collection:
|
|
|
|
- highpri
|
|
|
|
- highpri
|
|
|
|
- tier1
|
|
|
|
- tier1
|
|
|
|
@ -12,38 +12,11 @@ ms.date: 10/30/2023
|
|
|
|
|
|
|
|
|
|
|
|
BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism.
|
|
|
|
BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism.
|
|
|
|
|
|
|
|
|
|
|
|
In a recovery scenario, the following options to restore access to the drive may be available, depending on the configured policy settings:
|
|
|
|
This article describes BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
|
|
|
|
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
## BitLocker recovery scenarios
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
- **Recovery password**: a 48-digit number used to unlock a volume when it is in recovery mode. The recovery password may be saved as a text file, printed or stored in Microsoft Entra ID or Active Directory. The user can supply a recovery password, if available.
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
:::image type="content" source="images/preboot-recovery.png" alt-text="Screenshot of the default BitLocker recovery screen asking enter the recovery password." lightbox="images/preboot-recovery.png" border="false":::
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
- **Recovery key**: an encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of <protector_id>.bek. For the OS drive, the recovery key can be used to gain access to the device if BitLocker detects a condition that prevents it from unlocking the drive when the device is starting up. A recovery key can also be used to gain access to fixed data drives and removable drives that are encrypted with BitLocker, if for some reason the password is forgotten or the device can't access the drive.
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
:::image type="content" source="images/preboot-recovery-key.png" alt-text="Screenshot of the BitLocker recovery screen asking to plug a USB drive with the recovery key." lightbox="images/preboot-recovery-key.png" border="false":::
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="4":::
|
|
|
|
|
|
|
|
- **Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be saved on a file or in AD DS.
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="4":::
|
|
|
|
|
|
|
|
- **Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it.
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Common scenarios for BitLocker recovery
|
|
|
|
The following list provides examples of common events that cause a device to enter BitLocker recovery mode when starting Windows:
|
|
|
|
|
|
|
|
|
|
|
|
The following list provides some examples of common events that causes BitLocker to enter recovery mode when attempting to start the operating system:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- Entering the wrong PIN too many times
|
|
|
|
- Entering the wrong PIN too many times
|
|
|
|
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM
|
|
|
|
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM
|
|
|
|
@ -60,9 +33,9 @@ The following list provides some examples of common events that causes BitLocker
|
|
|
|
- Moving a BitLocker-protected drive into a new computer
|
|
|
|
- Moving a BitLocker-protected drive into a new computer
|
|
|
|
- On devices with TPM 1.2, changing the BIOS or firmware boot device order
|
|
|
|
- On devices with TPM 1.2, changing the BIOS or firmware boot device order
|
|
|
|
|
|
|
|
|
|
|
|
Before beginning recovery, it's recommend to determine *what* caused recovery. This might help to prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the device, BitLocker reseals the encryption key to the current values of the measured components.
|
|
|
|
Before starting the [BitLocker recovery process](recovery-process.md), it's recommend to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if it's' determined that an attacker has modified the device by obtaining physical access, new security policies can be implemented for tracking who has physical presence.
|
|
|
|
|
|
|
|
|
|
|
|
For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
|
|
|
|
For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. Using *suspend* and *resume* also reseals the encryption key without requiring the entry of the recovery key.
|
|
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> If suspended, BitLocker automatically resumes protection when the device is rebooted, unless a reboot count is specified using PowerShell or the `manage-bde.exe` command line tool. For more information about suspending BitLocker, review the [BitLocker operations guide](operations-guide.md#suspend-and-resume).
|
|
|
|
> If suspended, BitLocker automatically resumes protection when the device is rebooted, unless a reboot count is specified using PowerShell or the `manage-bde.exe` command line tool. For more information about suspending BitLocker, review the [BitLocker operations guide](operations-guide.md#suspend-and-resume).
|
|
|
|
@ -70,33 +43,62 @@ For planned scenarios, such as a known hardware or firmware upgrades, initiating
|
|
|
|
> [!TIP]
|
|
|
|
> [!TIP]
|
|
|
|
> Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
|
|
|
|
> Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
|
|
|
|
|
|
|
|
|
|
|
|
## BitLocker password recovery storage options
|
|
|
|
## BitLocker recovery options
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In a recovery scenario, the following options to restore access to the drive may be available, depending on the policy settings applied to the devices:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
- **Recovery password**: a 48-digit number used to unlock a volume when it is in recovery mode. The recovery password may be saved as a text file, printed or stored in Microsoft Entra ID or Active Directory. The user can supply a recovery password, if available
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
:::image type="content" source="images/preboot-recovery.png" alt-text="Screenshot of the default BitLocker recovery screen asking enter the recovery password." lightbox="images/preboot-recovery.png" border="false":::
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
- **Recovery key**: an encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `<protector_id>.bek`. For the OS drive, the recovery key can be used to gain access to the device if BitLocker detects a condition that prevents it from unlocking the drive when the device is starting up. A recovery key can also be used to gain access to fixed data drives and removable drives that are encrypted with BitLocker, if for some reason the password is forgotten or the device can't access the drive
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::column span="2":::
|
|
|
|
|
|
|
|
:::image type="content" source="images/preboot-recovery-key.png" alt-text="Screenshot of the BitLocker recovery screen asking to plug a USB drive with the recovery key." lightbox="images/preboot-recovery-key.png" border="false":::
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="4":::
|
|
|
|
|
|
|
|
- **Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package is not generated automatically, and can be saved on a file or in Active Directory Domain Services. A key package can't be stored in Microsoft Entra ID
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
:::row:::
|
|
|
|
|
|
|
|
:::column span="4":::
|
|
|
|
|
|
|
|
- **Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it
|
|
|
|
|
|
|
|
:::column-end:::
|
|
|
|
|
|
|
|
:::row-end:::
|
|
|
|
|
|
|
|
|
|
|
|
When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:
|
|
|
|
When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:
|
|
|
|
|
|
|
|
|
|
|
|
| :ballot_box_with_check: | Question |
|
|
|
|
| :ballot_box_with_check: | Question |
|
|
|
|
|--|--|
|
|
|
|
|--|--|
|
|
|
|
| :black_square_button: | *How does the organization handle lost Windows passwords?* |
|
|
|
|
| :black_square_button: | *How does the organization handle lost or forgotted passwords?* |
|
|
|
|
| :black_square_button: | *How does the organization perform smart card PIN resets?* |
|
|
|
|
| :black_square_button: | *How does the organization perform smart card PIN resets?* |
|
|
|
|
| :black_square_button: | *Are users allowed to save or retrieve recovery information for the devices that they own?* |
|
|
|
|
| :black_square_button: | *Are users allowed to save or retrieve recovery information for the devices that they own?* |
|
|
|
|
|
|
|
|
|
|
|
|
Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs) or automatically back up recovery information to Microsoft Entra ID or Active Directory Domain Services (AD DS).
|
|
|
|
Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs) or automatically back up recovery information to Microsoft Entra ID or Active Directory Domain Services (AD DS).
|
|
|
|
|
|
|
|
|
|
|
|
After a BitLocker recovery is initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
|
|
|
|
### BitLocker recovery password
|
|
|
|
|
|
|
|
|
|
|
|
In order to recover BitLocker, a user must have access to the recovery password. The BitLocker recovery password is unique to the device it was created on, and can be saved in different ways. Depending on the configured policy settings, the recovery password can be:
|
|
|
|
To recover BitLocker, a user can use a recovery password, if available. The BitLocker recovery password is unique to the device it was created on, and can be saved in different ways. Depending on the configured policy settings, the recovery password can be:
|
|
|
|
|
|
|
|
|
|
|
|
- saved in Microsoft Entra ID, for Microsoft Entra joined and Microsoft Entra hybrid joined devices
|
|
|
|
- saved in Microsoft Entra ID, for Microsoft Entra joined and Microsoft Entra hybrid joined devices
|
|
|
|
- saved in AD DS, for devices that are joined to Active Directory
|
|
|
|
- saved in AD DS, for devices that are joined to Active Directory
|
|
|
|
- saved on text file
|
|
|
|
- saved on text file
|
|
|
|
- printed
|
|
|
|
- printed
|
|
|
|
|
|
|
|
|
|
|
|
Having access to this key allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it's crucial for your organization to establish procedures to control access to recovery passwords and ensure that they are stored securely, separate from the computers they protect.
|
|
|
|
Having access to the recovery password allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it's important for your organization to establish procedures to control access to recovery passwords and ensure that they are stored securely, separate from the devices they protect.
|
|
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> There's an option for storing the BitLocker recovery key in a user's Microsoft account. This option is available for devices that aren't members of a domain and that the user is using a Microsoft account. Storing the recovery password in a Microsoft account is the default recommended recovery key storage method for devices that aren't Microsoft Entra joined or Active Directory joined.
|
|
|
|
> There's an option for storing the BitLocker recovery key in a user's Microsoft account. This option is available for devices that aren't members of a domain and that the user is using a Microsoft account. Storing the recovery password in a Microsoft account is the default recommended recovery key storage method for devices that aren't Microsoft Entra joined or Active Directory joined.
|
|
|
|
|
|
|
|
|
|
|
|
Backup of the recovery password can be configured **before** BitLocker is enabled. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used:
|
|
|
|
Backup of the recovery password should be configured before BitLocker is enabled. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive:
|
|
|
|
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
|
|
|
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
|
|
|
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
|
|
|
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
|
|
|
@ -109,16 +111,38 @@ The recommendation is to use the following BitLocker backup methods:
|
|
|
|
- For Microsoft Entra joined devices, store the recovery key in Microsoft Entra ID
|
|
|
|
- For Microsoft Entra joined devices, store the recovery key in Microsoft Entra ID
|
|
|
|
- For Active Directory joined devices, store the recovery key in AD DS
|
|
|
|
- For Active Directory joined devices, store the recovery key in AD DS
|
|
|
|
|
|
|
|
|
|
|
|
> [!IMPORTANT]
|
|
|
|
### Data Recovery Agents
|
|
|
|
> The *BitLocker key package* can be stored in Active Directory Domain Services (AD DS), not in Microsoft Entra ID.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## BitLocker password retrieval methods
|
|
|
|
DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.
|
|
|
|
|
|
|
|
|
|
|
|
### Microsoft Entra ID
|
|
|
|
The benefit of using a DRA over password or key recovery is that the DRA acts as a *master key* for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume."
|
|
|
|
|
|
|
|
|
|
|
|
### Active Directory
|
|
|
|
To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
|
|
|
|
|
|
|
|
|
|
|
|
The BitLocker recovery information for a device joined to Active Directory is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each Computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume. The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The syntax is `<Object Creation Date and Time><Recovery GUID>`.
|
|
|
|
1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.
|
|
|
|
|
|
|
|
1. If a key usage attribute is present, it must be one of the following:
|
|
|
|
|
|
|
|
- `CERT_DATA_ENCIPHERMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
- `CERT_KEY_AGREEMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
-`CERT_KEY_ENCIPHERMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
1. If an enhanced key usage (EKU) attribute is present, it must be one of the following:
|
|
|
|
|
|
|
|
- As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1`
|
|
|
|
|
|
|
|
- Any EKU object identifier supported by your certification authority (CA)
|
|
|
|
|
|
|
|
1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption**
|
|
|
|
|
|
|
|
1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Configure the following policy settings to allow recovery using a DRA for each drive type:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## BitLocker recovery information stored in Microsoft Entra ID
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## BitLocker recovery information stored in AD DS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The BitLocker recovery information for a device joined to an Active Directory domain can be stored in AD DS. The information is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The syntax is `<Object Creation Date and Time><Recovery GUID>`.
|
|
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
> [!NOTE]
|
|
|
|
> Active Directory maintains history of all recovery passwords for a computer object. Old recovery keys are not removed automatically from AD DS, unless the computer object is deleted.
|
|
|
|
> Active Directory maintains history of all recovery passwords for a computer object. Old recovery keys are not removed automatically from AD DS, unless the computer object is deleted.
|
|
|
|
@ -158,30 +182,7 @@ To make sure the correct password is provided and/or to prevent providing the in
|
|
|
|
|
|
|
|
|
|
|
|
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
|
|
|
|
Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
|
|
|
|
|
|
|
|
|
|
|
|
### Data Recovery Agents
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The benefit of using a DRA over password or key recovery is that the DRA acts as a *master key* for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.
|
|
|
|
|
|
|
|
1. If a key usage attribute is present, it must be one of the following:
|
|
|
|
|
|
|
|
- `CERT_DATA_ENCIPHERMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
- `CERT_KEY_AGREEMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
-`CERT_KEY_ENCIPHERMENT_KEY_USAGE`
|
|
|
|
|
|
|
|
1. If an enhanced key usage (EKU) attribute is present, it must be one of the following:
|
|
|
|
|
|
|
|
- As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1`
|
|
|
|
|
|
|
|
- Any EKU object identifier supported by your certification authority (CA)
|
|
|
|
|
|
|
|
1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption**
|
|
|
|
|
|
|
|
1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1. Configure the following policy settings to allow recovery using a DRA for each drive type:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
|
|
|
|
|
|
|
|
- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Next steps
|
|
|
|
## Next steps
|
|
|
|
|
|
|
|
|
Paolo Matarazzo