none
Unlock External Drive With Expired Certificate RRS feed

  • Question

  • I have an external hard drive that has been encrypted using BitLocker.  It has both Smart Card and Data Recovery Agent key protectors applied to it.  Based on the certificate thumbprint, it is using an expired certificate. I was able to retrieve the certificate with private key from another computer, and I have imported it into my certificate store on this system. When I enter the command (manage-bde -unlock g: -cert -ct <certificate thumbprint>), I get the error message that "The certificate failed to unlock Volume G:". I'm not sure what I am doing wrong.  Should the certificate be in a particular store? Should it be in the local computer store or my personal store? I looked at the certificate. When I look at the general tab for the certificate, it says "you have a private key that corresponds to this certificate".  When I look at the thumbprint on the details tab, it matches the one that I see listed after typing this command: manage-bde -protectors -get g:

    I know there must be something I'm overlooking but I'm not sure what.

    Thursday, October 15, 2015 6:04 PM

All replies

  • Hi Chad E. Marshall,

    The certificate should be imported to the local computer store.
    In addition, I hope the following link will be useful.
    How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives
    http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 19, 2015 3:12 AM
    Moderator
  • I did all those and verified that it is in my local personal certificate store and no luck.  I verified that the certificate that I have installed does say "You have a private key that corresponds to this certificate".  I verified the certificate thumbprint matches what is shown for the certificate details.  I'm just not sure why it is failing.  I wish there was a way to get a log or have it show more detail than "the certificate failed to unlock volume G:".  I even exported the certificate and told it to try to use the certificate itself.  That did not work.  I get the same error message.

    From what I was reading manage-bde and Bitlocker Wizard do not generate events in the event viewer which really does not help in troubleshooting the issue.

    Monday, October 19, 2015 1:26 PM
  • Hi Chad E.Marshall,

    Please import the certificate to the "Trusted root certificate store " to have a check.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, October 21, 2015 8:37 AM
    Moderator
  • No luck.  I tried it for my personal account and the local computer account.  With either, I still get the error message that "the certificate failed to unlock volume G:".

    Wednesday, October 21, 2015 6:59 PM
  • Hi Chad E. Marshall,

    Is the private key included in the certificate you have imported?

    To unlock the drive, the private key is necessary.

    Best regards

            
                         


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Tuesday, October 27, 2015 9:18 AM
    Moderator
  • Yes. When I look at the general tab for the certificate, it says "you have a private key that corresponds to this certificate".

    Tuesday, October 27, 2015 8:28 PM