I was following this document for setting up a data recovery agent for Bitlocker (http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx). I set up the recovery agent and was testing unlocking a drive using the recovery agent private key. (I installed the private key on the machine with the "locked" drive.) I was following these instructions... "In this example, if the private key is available in the local certificate store, the administrator could use the following Manage-bde command to unlock the drive by using the data recovery agent protector as shown in the following example. manage-bde -unlock E: -Certificate -ct 9de688607336294a52b445d30d1eb92f0bec1e78 " The recovery/unlock worked fine BUT now I find that I can't uninstall or delete the key from the machine with the previously "locked" drive. I used the Certificate MMC to delete the recovery certificate which contained the private key. The certificate was deleted but the capability to unlock any 'bitlocked' devices remains. I found info that "...even when a certificate is deleted, the corresponding private key is not deleted" (http://technet.microsoft.com/en-us/library/cc772354.aspx) Anyone have an idea how I can get rid of the private key (which I can no longer find in the certificate MMC console)? Is the private key to root of my problem or am I off on a "rabbit trail"? Things I've tried: rebooting Thanks in advance for any assistance.

Do you still want help related to this issue?Manoj Sehgal

I would also want to know an official way how the private key can be removed for a certificate that has once been imported. Should I just delete something from %appdata%\Microsoft\Crypto\RSA\<sid> ? I tried it and it worked. I was able to remove the private key. I detected the correct one to delete according to the modification time of the file. Notice that the directories and files are hidden so need to use dir /a or del /a to list and delete. I was playing with signtool to verify the behavior.

Now I found the official way. It is described there : http://msdn.microsoft.com/en-us/windows/hardware/gg487309.aspx at the last page of the document. In short: when importing the certificate, the "Mark the key as exportable" must have been selected. Then, when exporting the key as a .PFX -file, you have the option of deleting the private key. If "Mark the key as exportable" was not originally selected, you need to reimport the certificate with that option.