diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md index 7128d2185c..350d78c3ae 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md @@ -120,22 +120,16 @@ The benefit of using a DRA over password or key recovery is that the DRA acts as To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required: 1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate. - 1. If a key usage attribute is present, it must be one of the following: - - - `CERT_DATA_ENCIPHERMENT_KEY_USAGE` - - `CERT_KEY_AGREEMENT_KEY_USAGE` - - `CERT_KEY_ENCIPHERMENT_KEY_USAGE` - - 1. If an enhanced key usage (EKU) attribute is present, it must be one of the following: - + 1. If a key usage attribute is present, it must be one of the following: + - `CERT_DATA_ENCIPHERMENT_KEY_USAGE` + - `CERT_KEY_AGREEMENT_KEY_USAGE` + - `CERT_KEY_ENCIPHERMENT_KEY_USAGE` +1. If an enhanced key usage (EKU) attribute is present, it must be one of the following: - As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1` - Any EKU object identifier supported by your certification authority (CA) - 1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption** 1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device - 1. Configure the following policy settings to allow recovery using a DRA for each drive type: - - [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) - [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered) - [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)