Can one use Data Recovery Agents to recover and unlock FIPS Mode encrypted BitLocker drives. I have attempted this but have had no success:"Certificate failed to unlock drive"

You can use DRA to unlock the devices. The key thing here is BitLocker Application requires a private key to unlock the device. See the blog below which might help you. http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx Manoj Sehgal

We have painstakingly walked through these scenarios . Everytime : "Certificate failed to unlock Volume f: " etc. Since no "password" is valid in FIPS Mode, why should one be able to type a certificate "thumbprint" into a command line tool, "manage-bde" and unlock a FIPS mode encrypted drive. Can a more informative or detailed walkthrough be supplied. ie: 1. issue the certificate like this with this. 2. apply the certificate to GPO thusly, and include these settings in the GPO. and LINK GPO "here" . 3. actions necessary on local machine are these..... . .....on another note, if you do not bitlock with pin, and this DRA business DID work, then all a thief would need is the users domain password/useraccount ....to slave any bitlocked drives and do the manage-bde -protectors -get command to get the thumbprint and unlock any drive bitlocked in the domain.This makes me think I am missing something in this scheme. Please excuse my density.

If the certificate is located on a smart card, you have to include an extra parameter to unlock the drive: -pin Example: manage-bde -unlock f: -cert -ct 1e66a3476615d9a1e51f56aec49024bb34b8a688 -pin If you omit -pin, it will not use certificates on the smart card. It also seems to me that you have to be logged on with a user that is member of the local Administrators group to unlock a drive with a smart card certificate. Not sure about the last thing, though.