Hi, I have seen some discussion around this and it all seems to point the same direction. My scenario is a bit different so I thought I would try asking. We had a laptop come into the help desk with a hard drive that is failing. The failing hard drive was removed and a replacement drive was installed. The tech then deleted the AD computer object and didn't write down the recovery key first. Our recovery keys are stored in Active Directory. The laptop was then reimaged and a new computer object was created. I had a sys admin restore the AD object and there is a recovery key there. I connected the encrypted drive to another computer using a USB adapter and once it's detected, I am prompted to enter the recovery key. I enter the recovery key from the recovered AD object and it says there was an error recovering the disk and the key is incorrect. I noticed that the Password ID of the drive doesn't match the Password ID in active directory. What that says to me is I basically don't have a good recovery key. I have done some reading on the Data Recovery Agent and it looks like it might be possible to unlock the drive and decrypt but the procedure I have involves using a smartcard. Our infrastructure is not designed to use smartcards at this time nor do we have a smartcard onsite. Is there any way to use the Data Recovery Agent with something other than a smartcard? Companies like OnTrack must have a way to get around the encryption since data recovery is their line of business. Thanks a lot for your help! Rob

I guess you are right about missing the correct recovery key for the failed disk. In order to use the recovery agent you are not required to use a smart card. Smart cards are the safest way to store a certificate. But you can create certificate and store the private key in a safe location to use when you need to recover an encrypted disk.Ray - Author of Windows 7 for XP Professionals

Ray, Do you know where I could find the procedure? I have done quite a bit of looking around and I can't seem to find anything. TechNet didn't seem to have anything but a lot of discussion around bitlocker, what it does, how it works, etc. Nothing really on recovery scenarios. Thanks, Rob

Here are a few articles that describe how you can use the BitLocker Recovery Agent: http://technet.microsoft.com/en-us/library/ee424312(WS.10).aspx http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx http://technet.microsoft.com/en-us/library/dd630628(WS.10).aspx Ray - Author of Windows 7 for XP Professionals

The first two links talk about using smartcard certificates. That was the procedure I was looking at prior to posting. I don't have a way to use a smartcard on this network.

I guess you are right about missing the correct recovery key for the failed disk. In order to use the recovery agent you are not required to use a smart card. Smart cards are the safest way to store a certificate. But you can create certificate and store the private key in a safe location to use when you need to recover an encrypted disk.Ray - Author of Windows 7 for XP Professionals

Here are a few articles that describe how you can use the BitLocker Recovery Agent: http://technet.microsoft.com/en-us/library/ee424312(WS.10).aspx http://technet.microsoft.com/en-us/library/dd875560(WS.10).aspx http://technet.microsoft.com/en-us/library/dd630628(WS.10).aspx Ray - Author of Windows 7 for XP Professionals

This article shows that you can do it without storing the certificate on a smart card. The smart card is just a secure container to store certificates. There is nothing that keeps you from storing the certificate some place else. http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspxRay - Author of Windows 7 for XP Professionals

That was a great find! I believe your searching skills my surpass mine... When I got to the "Request Certificate" step, I discovered that the Data Recovery Agent certificate is not available to me. I suppose that would mean our infrastructure is not currently designed to provide this functionality. I will push on our sys admins to see if we can get the cert added. Once I am able to get the DRA certificate, I'll report back with my results.

This article shows that you can do it without storing the certificate on a smart card. The smart card is just a secure container to store certificates. There is nothing that keeps you from storing the certificate some place else. http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspxRay - Author of Windows 7 for XP Professionals

By the way, if any of you are told that you can get a Master Recover Key from a manufacturer if you can prove your identity, I'm here to tell you that is completely untrue. Only because I'm getting desperate, I gave Lenovo a call and the first thing they asked was what I was smokin! NO manufacturer has a "Master Key" for BitLocker. Calling the manufacturer about an encrypted drive with no recovery key is a complete waste of time! Now, back to reality...