BitLocker Data Recovery Agent certificate


  • Hello!

    Can anyone please tell me how I can issue a BitLocker DRA certificate in Windows Server 2012 CA?

    There's no such a template in CA 2012, and I can't create it by dublicating the Key Recovery Agent template and adding BitLocker application policies to the Key Recovery Agent template as in CA 2008R2:

    Thank you in advance,


    • Edited by MF47 Thursday, April 11, 2013 10:08 AM Typo
    Thursday, April 11, 2013 10:07 AM

All replies

  • Hi Michael,

    Thanks for posting in Microsoft TechNet forums.

    Please check the Data Recovery Agent parts in the article below to see if they can be helpful during the troubleshooting:

    BitLocker Group Policy settings


    • Marked as answer by 朱鸿文 Friday, May 10, 2013 6:22 AM
    • Unmarked as answer by MF47 Thursday, May 7, 2015 1:52 PM
    Monday, April 15, 2013 7:05 AM
  • Hi K_evin Zhu ,

    Thank you for the useful link! ...but there's no info on what certificate template should be used for a DRA certificate.



    Monday, April 15, 2013 7:58 AM
  • Install the BitLocker Feature to Windows (in Server Manager). That will add support for the BitLocker certificate OIDs.

    You may need to do this both on the system where you make the request, and on the system that is issuing the certificates.

    I personally disagree with this requirement (it is inconsistent with the fact that other OIDs are handled without adding features, and with the fact that the CA system may not need the BitLocker feature), but that's how it is...

    Monday, June 10, 2013 7:14 PM
  • mcb, thank you very much!
    Thursday, June 13, 2013 1:53 PM
  • Hmm - I've installed everything on the server I can to try and get the Bitlocker cert template to become available but still can see nothing...what am I doing wrong...or what else do I need to do!?



    Carl Barrett | Twitter: @Mosquat

    Wednesday, May 6, 2015 1:14 PM
  • Ah OK - I can see them now in the available certificate extensions...

    Carl Barrett | Twitter: @Mosquat

    Wednesday, May 6, 2015 1:55 PM
  • Hello Carl,

    I have the same situation... my domain controllers are windows 2008 R2 and the CA is 2012R2. I can't make the template for BitLocker DRA. can you please post how you got this resolved?

    thank you very much.

    Monday, June 8, 2015 6:13 AM
  • No probs Ben,

    Doing this all from memory as we no longer need to use a DRA - so some info might be a bit sketchy....

    Add the BitLocker component to your CA via Server Management

    Create a duplicate of the Recovery Agent certificate

    Edit the certificate and chose the Extensions tab. 

    On this tab you will be able to add the two BitLocker extensions mentioned in the OP's question

    Then you just need to deploy the new certificate.

    ....if you need this for FIPS then post back as I have some other info for you...


    Carl Barrett | Twitter: @Mosquat

    • Proposed as answer by Ben. K Monday, June 8, 2015 7:38 AM
    Monday, June 8, 2015 6:56 AM
  • Carl,

    thank you very much!

    so the key is adding the bitlocker component to the 2012 CA, not the 2008 Domain Controller...
    I did that on DC since I read some blogs saying so, and I still can't the those CA extensions.
    I will certainly give it a try and let you know the result.
    thanks again for your reply.


    Monday, June 8, 2015 7:38 AM
  • Michael:

    the instructions you are looking for are at the following URL as part of a blog post and they appear fairly straight forward given the design flaw that made them necessary in the first place.  Likewise, the individual who wrote the blog post appears to have been a native English speaker so the instructions are cogent.  Good luck.

    • Proposed as answer by JSB__MCSE Tuesday, February 14, 2017 12:37 PM
    • Edited by JSB__MCSE Tuesday, February 14, 2017 12:37 PM
    Tuesday, February 14, 2017 12:37 PM
  • Hello JCB_MCSE,

    Thank you so much for the link!



    Wednesday, February 15, 2017 7:40 PM
  • I cannot get the certificate to show up under my personal certificates for export after it has been issued.  The CA says its been issued, but nothing shows up.  What is the deal here?
    Friday, December 7, 2018 3:59 PM