Earlier versions of Windows supported storing BitLocker recovery keys in AD DS This works well, but each BitLocker-protected volume has a unique recovery key. In enterprises, this can consume a large amount of space in AD DS . By using a data recovery agent instead of storing recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any BitLocker-protected volume.
To configure a data recovery agent, follow these steps:
1. Publish the future data recovery agent's certificate to AD DS . Alternatively, export the certificate to a . cer file and have it available .
2. Open a Group Policy object that targets the Windows 7 computers using the Group Policy object Editor and then select Computer Configuration\Policies\Windows Settings \Security Settings\Public Key Policies .
3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add Recovery Agent Wizard, and then click Next .
4. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in AD DS) or Browse Folders (if you have saved the . cer file locally). Select a . cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery Agents list in the wizard. You can specify multiple data recovery agents . After you specify all of the data recovery agents that you want to use, click Next.
5. The Completing The Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy object . Click Finish to confirm the data recovery agents and close the wizard.
The next time Group Policy is applied to the targeted Windows 7 computers, the data recovery agent certificate will be applied to the drive . At that point, you will be able to recover a BitLocker-protected drive using the certificate configured as the data recovery agent . Because of this, you must carefully protect the data recovery agent certificate.
Was this article helpful?