When encrypting an external drive using BTG and trying to unlock it using a DRA agent (using manage-bde -unlock f: -cert -ct %CERTIFICATETHUMBPRINTHERE%). I get the following error: ERROR: The certificate failed to unlock volume F: I followed the same steps as in http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx with the exception of issuing an EFS Recovery Agent certificate instead of a DRA certificate as that option is not available. I remember testing unlocking the drive once before using that same DRA account and it worked just fine. I have all the needed GPO settings applied (allowing DRA agents, Bitlocker identification field, DRA public key cert added to Public Key Policies\Bitlocker Drive Encryption, etc..). I can also attach all GPO settings if needed. Any ideas why this might be occurring?

Whether private key can be exported or not depends on the configuration on corresponding certifiate template. Did you request data recovery agent certificate from EFS recovery agent template? To allow private key to be exported, the option "Allow the private key to be exported" must be checked on the certificate template. Regards DianaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It sounds like the account's certificate is not in the store on that machine which in this case would make sense for this operation to fail since manage-bde cannot use the private key to decrypt. I will check.

Running "manage-bde -protectors -get f:" on the Win7 client to get detailed information about Data Recovery Agent, then make sure you are using correct thumprint assoicated with the DRA's certificate. You are right, the certificate with private key should be imported to the computer personal store. Await for any update. Regards Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Importing the certificate (which has the private keys) to the store got it to work. It was a bit difficult to get hold of that cert since it was not exportable (with the private key) from the CA (even though the configuration says it's allowed), and ended up having to request another cert and extract the private key from the requester machine.

Whether private key can be exported or not depends on the configuration on corresponding certifiate template. Did you request data recovery agent certificate from EFS recovery agent template? To allow private key to be exported, the option "Allow the private key to be exported" must be checked on the certificate template. Regards DianaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.