BitLocker Data Recovery Agent certificate

Hello!

Can anyone please tell me how I can issue a BitLocker DRA certificate in Windows Server 2012 CA?

There's no such a template in CA 2012, and I can't create it by dublicating the Key Recovery Agent template and adding BitLocker application policies to the Key Recovery Agent template as in CA 2008R2:

Thank you in advance,

Michael


  • Edited by MF47 Thursday, April 11, 2013 10:08 AM Typo
April 11th, 2013 10:07am

Hi Michael,

Thanks for posting in Microsoft TechNet forums.

Please check the Data Recovery Agent parts in the article below to see if they can be helpful during the troubleshooting:

BitLocker Group Policy settings

http://technet.microsoft.com/en-us/library/jj679890.aspx

Regards

Kevin
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2013 7:05am

Hi K_evin Zhu ,

Thank you for the useful link! ...but there's no info on what certificate template should be used for a DRA certificate.

Regards,

Michael

April 15th, 2013 7:58am

Install the BitLocker Feature to Windows (in Server Manager). That will add support for the BitLocker certificate OIDs.

You may need to do this both on the system where you make the request, and on the system that is issuing the certificates.

I personally disagree with this requirement (it is inconsistent with the fact that other OIDs are handled without adding features, and with the fact that the CA system may not need the BitLocker feature), but that's how it is...

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2013 7:14pm

mcb, thank you very much!
June 13th, 2013 1:53pm

Hmm - I've installed everything on the server I can to try and get the Bitlocker cert template to become available but still can see nothing...what am I doing wrong...or what else do I need to do!?

Cheers

C

Free Windows Admin Tool Kit Click here and download it now
May 6th, 2015 1:14pm

Ah OK - I can see them now in the available certificate extensions...
May 6th, 2015 1:55pm

Hello Carl,

I have the same situation... my domain controllers are windows 2008 R2 and the CA is 2012R2. I can't make the template for BitLocker DRA. can you please post how you got this resolved?

thank you very much.

Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 2:17am

No probs Ben,

Doing this all from memory as we no longer need to use a DRA - so some info might be a bit sketchy....

Add the BitLocker component to your CA via Server Management

Create a duplicate of the Recovery Agent certificate

Edit the certificate and chose the Extensions tab. 

On this tab you will be able to add the two BitLocker extensions mentioned in the OP's question

Then you just need to deploy the new certificate.

....if you need this for FIPS then post back as I have some other info for you...

Carl

June 8th, 2015 3:00am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics