That is a great way for large organizations to ensure that the corporate IT or Information Security has access to data for if the individual pass-phrase recovery is not working and for forensics.
To setup a Data Recovery Agent you can follow Microsofts blog post http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx
If you do not see the BitLocker Drive Encryptin and BitLocker Data Recovery Agent extended key usage (EKU) listed in the GUI install the BitLocker feature on your management machine. Even feature installation does not require a reboot, you will not see the EKU showing up in the last until you do so.
If you Certification Authority is running on Windows 2003 you have to add the EKUs manually. For this you need the OIDs, here you go.
Bitlocker Drive Encryption - 1.3.6.1.4.1.311.67.1.1
Bitlocker Data Recovery Agent - 1.3.6.1.4.1.311.67.1.2
No comments:
Post a Comment