Recovery of a BitLocker-protected drive can be accomplished by a data recovery agent that has been configured with the proper certificate. Before a data recovery agent can be configured for a drive, you must add the data recovery agent from Public Key Policies in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer.

Certificate requirements

A certificate must meet the following key usage and enhanced key usage requirements before it can be used to encrypt a drive with BitLocker:

  • The key usage attribute must be either none, Key Encipherment, or one of the following key usage values:




  • The enhanced key usage attribute must be either none or one of the following:

    Any enhanced key usage object identifier supported by your certification authority

The BitLocker object identifier is set to by default. You can use Group Policy to change this value if, for example, you want to share an existing certificate with BitLocker. If the certificate belongs to a data recovery agent and is only used to recover BitLocker-protected data, it is recommended that it also have one of these attributes, but it is not mandatory. No certificate validation occurs when adding a data recovery agent to a drive.

Configuring a data recovery agent and an identification field for BitLocker

The following procedures describe how to configure a data recovery agent and an identification field for BitLocker.

Local Administrators is the minimum group membership required to complete these procedures.

To configure a data recovery agent
  1. Open either the GPMC or the Local Group Policy Editor.

  2. In the console tree under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption.

  3. Click Add Data Recovery Agent to start the Add Recovery Agent Wizard. Click Next.

  4. On the Select Recovery Agents page, click Browse Folders, and select a .cer file to use as a data recovery agent. Once the file is selected, it will be imported and will appear in the Recovery agents list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click Next.

  5. The Completing the Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click Finish to confirm the data recovery agents, and close the wizard.

After the wizard closes, the data recovery agents appear in the details pane.

To configure an identification field
  1. In the GPMC or Local Group Policy Editor, expand the console tree to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption, and then click BitLocker Drive Encryption to show the policy settings.

  2. In the details pane, double-click the Provide the unique identifiers for your organization policy setting.

  3. Click Enable. In BitLocker Identification Field, enter the identification field for your organization.

  4. Click OK to apply and close the policy setting.


Drives that were encrypted with BitLocker before an identification field was configured will not have data recovery agents assigned to them due to the absence of an identification field. It is possible to use Windows Management Instrumentation (WMI) or the Manage-bde command-line tool to set an identification field on a previously encrypted drive. When using Manage-bde, the identification field will be set to the value specified in the Provide the unique identifiers for your organization policy setting. For more information about using WMI or Manage-bde, see