# How to Create a Master BitLocker Recovery Key for All Endpoints

**Key Points**  
[Pre-Configuration](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#preconfig)  
[Generating the Master Recovery Certificate](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#master)  
[Deploying the DRA Protector to Endpoints](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#deploy)  
[Key Security and Lifecycle Considerations](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#key)  
[Exporting the Lost DRA Private Key](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#export)  
[Unlocking OS Drive using DRA Private Key](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#unlock)  
[Deleting DRA Protectors](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/how-to/bitlocker-recovery-using-dra.html#delete)

## Overview

In large Windows environments, BitLocker recovery often depends on individual 48-digit recovery passwords stored per device. When these passwords are unavailable, recovery becomes operationally difficult and may result in permanent data loss.

To address this at scale, BitLocker supports a **certificate-based recovery mechanism** known as a **Data Recovery Agent (DRA)**. Instead of managing recovery passwords per device, administrators generate a **single certificate pair** that acts as a **master recovery key**:

- A **public certificate (.cer)** is deployed to all managed endpoints and added as a BitLocker protector.
- A **private certificate (.pfx)** is securely retained by the organization and can unlock any drive protected by the corresponding public key.

![BitLocker DRA Recovery Flow](https://www.manageengine.com/products/desktop-central/help/images/bitlocker-dra-lifecycle-recovery.png)

When managed through Endpoint Central, this approach provides centralized, controlled, and auditable BitLocker recovery across the organization without weakening BitLocker’s encryption model.

## Pre-Configuration

Before creating and deploying a master recovery key, review the following prerequisites to ensure successful enforcement.

### Supported Operating Systems

Ensure endpoints run Windows editions that support BitLocker DRA.

**Windows Client Operating Systems**

- Windows 7 — Enterprise, Ultimate
- Windows 8 / 8.1 — Pro, Enterprise
- Windows 10 — Pro, Enterprise, Education
- Windows 11 — Pro, Enterprise, Education

**Windows Server Operating Systems**

- Windows Server 2008 / 2008 R2
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022

### PowerShell Availability

- Windows PowerShell 5.1 or later must be present.
- Scripts must be executed with administrative privileges.

### Security Planning

- Identify a **secure, controlled system** where the certificate will be generated.
- Decide where the private key (.pfx) will be stored (for example, offline USB storage or a secure vault).
- Limit access to the private key to authorized recovery personnel only.

## Generating the Master Recovery Certificate

This step creates the certificate pair that forms the foundation of centralized BitLocker recovery.

1. Download the [certificate generation script](https://workdrive.zohoexternal.in/external/7319518baed7a6cb19acb5548241ce630b60d653070eb9b40e7379ce01d57880).
2. Open **Windows PowerShell as Administrator** on the chosen secure system.
3. Run the following command and replace `<path to certificate>` with the actual path of the file:

```powershell
PowerShell.exe -ExecutionPolicy Bypass -File "<path to certificate>\UEMS_Generate_Cert.ps1"
```

4. Running this script generates a BitLocker DRA Certificate and exports the following two files to the script's directory. When prompted, create a **strong password** to protect the private key.

   - **Public Key (.cer)**: Deploy this file to all endpoints to configure the BitLocker DRA protector on the drives.
   - **Private Key (.pfx)**: **Store this file securely** (e.g., on a USB) along with the given password. This key is required to unlock any drive encrypted with the corresponding Public Key.

The certificate is also installed in the local certificate store of the system where it was generated, enabling future export if required.

## Deploying the DRA Protector to Endpoints

Once the master recovery certificate is created, the public key must be deployed to all managed devices so it is added as a BitLocker protector.

### Add the Deployment Script

1. Download the [DRA deployment script](https://workdrive.zohoexternal.in/external/e087d1be4657390ae1ddb406f05fc5770a679ab2a090d53846fa3fd3a3a986b1).
2. In the Endpoint Central console, navigate to **Configuration → Script Repositories**.
3. Select **Create/Modify Script → Add Script**.
4. Browse for and select the provided **UEMS_BLM_DRA_Script.ps1** file.
5. Click **Add Script**.

![Adding the Script](https://www.manageengine.com/products/desktop-central/help/images/add-blm-script.png)

### Configure Deployment

1. Navigate to **Configuration → Windows → Custom Script → Computer**.
2. Select the **UEMS_BLM_DRA_Script.ps1** script added in the previous step.
3. In the **Dependency Files** field, browse for and select the generated `.cer` file. This `.cer` file must be named **UEMS_BLM_PublicKey.cer** to work correctly.
4. Configure the following settings:

   - Frequency: **Once**
   - Logging: **Enabled** (Enable Logging for troubleshooting)
   - Run as: **System User**

![Creating the configuration](https://www.manageengine.com/products/desktop-central/help/images/configure-blm-script.png)

5. Click **Deploy** and deploy the configuration to the required device groups.

**Note:** The DRA Protector is added immediately for drives that are already encrypted (except locked drives). For drives that are not yet encrypted, the DRA Protector will be added automatically once the drive becomes encrypted.

### Verify Execution

Navigate to **Configuration > All Configuration** and select the deployed configuration to view the summary.

- **Success**: A green status indicates the configuration executed successfully.
- **Failure**: If the configuration failed, select the configuration, click **Execution Status**, and then select **View Log** to investigate.

![Deployment Status](https://www.manageengine.com/products/desktop-central/help/images/blm-config-status.png)

### What Happens After Deployment

After successful deployment, each BitLocker-encrypted drive gains an **additional recovery protector** tied to the DRA certificate. The existing encryption remains unchanged; no re-encryption is required.

During recovery scenarios where the standard recovery password is unavailable:

- The drive can be unlocked using the **private .pfx file** and its password.
- This applies uniformly across all endpoints that received the public key.

This establishes a **single, organization-controlled recovery mechanism** that works across devices without relying on per-machine recovery keys.

## Key Security and Lifecycle Considerations

### Private Key Protection

- The private key and its password are critical assets.
- If both are lost **and** the certificate is removed from the original system, recovery becomes impossible for drives protected by that DRA.
- Do not delete the certificate from the certificate store of the generation system.

### Key Recovery and Rotation

- If the private key file is lost, it can be re-exported from the original system where the certificate was generated.
- If the certificate itself is lost or compromised:
  - Remove existing DRA protectors from endpoints.
  - Generate a new certificate pair.
  - Redeploy the updated public key organization-wide.

### Operational Impact

- DRA does not replace standard BitLocker recovery passwords; it complements them.
- Administrators gain a controlled fallback mechanism without reducing endpoint security posture.

## Exporting the Lost DRA Private Key

1. Download [this script](https://workdrive.zohoexternal.in/external/d3103d8a7441396dc12d2fa5d6029f9c7cf0896419f071f3e7df1bd8e8a88805).
2. Run these steps **on the same machine where the certificate was originally generated**.
3. Execute the following command in Windows PowerShell as Administrator and replace `<path to certificate>` with the actual path of the file:

```powershell
PowerShell.exe -ExecutionPolicy Bypass -File "<path to certificate>\UEMS_Export_Pvt_Key.ps1"
```

4. If the machine contains only one DRA certificate named **UEMS_BLM_DRA**, the script will automatically detect it and proceed to export the private key after prompting you to set a password for the `.pfx` file.
5. If multiple DRA certificates exist on the machine, the script will list all matching certificates and prompt you to select the correct one by its **Thumbprint**.
6. To identify the correct Thumbprint, verify the public key deployed to endpoints. On any endpoint where the public key protector is added, run:

```powershell
manage-bde -protectors -get <DriveLetter>:
```

7. After selecting the correct Thumbprint, the script will prompt you to set a password and export the **private key (.pfx)** to the same directory where the script is executed.

![Exporting DRA Key](https://www.manageengine.com/products/desktop-central/help/images/export-dra-key.png)

## Unlocking OS Drive using DRA Private Key

Follow the steps below to unlock the OS drive using the DRA Private Key during boot.

**Note:** This documentation assumes the OS drive letter is **C:**

1. **Access Command Prompt in Recovery Mode**
   - If the Recovery Password is unavailable, press **Esc** when prompted for the Recovery Key.
   - Navigate to **Troubleshoot > Advanced Options > Command Prompt**.

2. **Unlock the Drive** (Ensure the USB device containing the `.pfx` file is connected.)

   - Run the following command and replace `<Path to .pfx file on USB>` with the actual path:

```powershell
manage-bde -unlock C: -certificate -cf "<Path to .pfx file on USB>" -pin
```

   - When prompted, **enter the password** created during the `.pfx` export.
   - To find the USB drive letter, run:

```powershell
diskpart
```

```powershell
list volume
```

![Drive Letter through CMD](https://www.manageengine.com/products/desktop-central/help/images/drive-letter-cmd.png)

![Unlocking OS Drive with Private Key](https://www.manageengine.com/products/desktop-central/help/images/unlocking-osdrive-with-key.jpg)

3. **Decrypt the Drive**

The drive is now unlocked, but it will lock again upon exiting the Command Prompt. To prevent this, decrypt the drive:

```powershell
manage-bde -off C:
```

4. **Verify Decryption Status**

Decryption takes time. **Do not restart** until the **Conversion Status** displays **Fully Decrypted**. Monitor progress using:

```powershell
manage-bde -status C:
```

5. Once fully decrypted, close the Command Prompt and **restart the machine**.

## Deleting DRA Protectors

### Add the Deletion Script

1. To delete all DRA protectors on a machine, download [this script](https://workdrive.zohoexternal.in/external/01c01a9441ecbe8364f19c80079e77a6f523333e2a47a54cf07fcaac95e9025f).  
   To delete specific DRA protectors, download [this script](https://workdrive.zohoexternal.in/external/caf3001605fc67661034ee84af180fe3a2ea5169ba162a63bfc46514ac6babd3).
2. In the Endpoint Central console, navigate to **Configuration → Script Repositories**.
3. Select **Create/Modify Script → Add Script**.
4. Browse for and select either:
   - **UEMS_Delete_Specific_DRA_Protectors.ps1**, or
   - **UEMS_Delete_All_DRA_Protectors.ps1**
5. Click **Add Script**.

### Configure Deployment

1. Navigate to **Configuration → Windows → Custom Script → Computer**.
2. Select the appropriate deletion script.
3. In the **Dependency Files** field, browse for and select the exact `.cer` public key file that needs to be deleted. The file must be named **UEMS_BLM_PublicKey.cer** to work correctly.
4. Configure the following settings:
   - Frequency: **Once**
   - Logging: **Enabled**
   - Run as: **System User**
5. Click **Deploy** and deploy the configuration to the required device groups.

### Verify Execution

Navigate to **Configuration > All Configuration** and select the deployed configuration to view the summary.

- **Success**: A green status indicates successful execution.
- **Failure**: If the configuration failed, select the configuration, click **Execution Status**, and then select **View Log** to investigate.