Hi all, I am trying to setup Bitlocker Data Recovery Agent feature in an Enterprise environment. I have tested DRA settings on the local PC with valid certificates and tested unlocking mechanism all fine. What i would like to find out more is the structure recommended for managing the certificate used by DRA in an enterprise environment. ie. a domain user certificate? how and where can i find out more about this? For example, can we have a certificate issued and attached to the Workstation admin group users? hence the desktop PC personnel can unlock the drive without importing the Certificate with the Private key locally. In terms of deployment for the Recovery Agent certificate, is there any automated way to do that? or only doing via the gpedit.msc from the GUI. Thank you in advance. Ray

Hi Ray, Thanks for the post! 1. What i would like to find out more is the structure recommended for managing the certificate used by DRA in an enterprise environment. ie. a domain user certificate? how and where can i find out more about this? There’s no recommended structure for managing certificate used by DRA, it depends on different environment. You can make different user settings. 2. In terms of deployment for the Recovery Agent certificate, is there any automated way to do that? or only doing via the gpedit.msc from the GUI. As I know, the Group Policy Management Console and Local Group Policy Editor are useful tools for deployment. There’s no automatic settings. Refer to http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx#BKMK_proc_id Regards, Miya YaoThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.