Get Bitlocker Recovery Key From Active Directory Today

If you want, I can:

To retrieve a BitLocker recovery key from Active Directory (AD) , you must have the BitLocker Recovery Password Viewer

feature installed on your domain controller or management workstation

. This tool adds a dedicated tab to computer objects within the Active Directory Users and Computers (ADUC) Microsoft Learn Prerequisites for Viewing Keys Feature Installation : On Windows Server, use the Add Roles and Features Wizard to install BitLocker Drive Encryption and the sub-feature BitLocker Recovery Password Viewer Group Policy

: A Group Policy Object (GPO) must be active to ensure recovery keys are automatically backed up to AD when BitLocker is enabled. Permissions : By default, only Domain Administrators have the rights to view these keys. Serverspace.io Method 1: Using Active Directory Users and Computers (ADUC)

This is the most common visual method for IT administrators. : Launch the Active Directory Users and Computers snap-in. Locate Computer

: Navigate to the Organizational Unit (OU) containing the computer. Open Properties : Right-click the computer object and select Properties BitLocker Recovery Tab : Click the BitLocker Recovery

tab to view all associated recovery passwords and their backup dates. Microsoft Learn Method 2: Searching by Password ID If you have the 8-character Password ID from the BitLocker recovery screen: , right-click the domain container. Find BitLocker Recovery Password Enter the first 8 characters of the ID and click Microsoft Learn Method 3: Using PowerShell For bulk retrieval or automation, use the ActiveDirectory Retrieve for a specific computer powershell $Computer = "ComputerName"

$DN = (Get-ADComputer $Computer).DistinguishedName Get-ADObject - 'objectClass -eq "msFVE-RecoveryInformation"

' -SearchBase $DN -Properties msFVE-RecoveryPassword | Select-Object msFVE-RecoveryPassword Use code with caution. Copied to clipboard Stack Overflow What if the key is missing? BitLocker Recovery tab is missing or empty, it likely means: Recovery Password Viewer feature is not installed on your current machine. The drive was encrypted the GPO was applied. Manual Backup Required

: You can force a backup to AD from the client machine using: manage-bde -protectors -adbackup C: -id 'YOUR-KEY-ID' Microsoft Learn Group Policy settings

needed to ensure all future computers automatically save their keys to AD? BitLocker recovery process - Microsoft Learn get bitlocker recovery key from active directory

In Active Directory Users and Computers, right-click the domain container and select Find BitLocker Recovery Password. Microsoft Learn

You can retrieve a BitLocker recovery key from Active Directory using Active Directory Users and Computers (ADUC) or PowerShell. This document covers both approaches, as well as the prerequisites required to make them work. đź“‹ Prerequisites

Before you can view or extract BitLocker keys, your environment must meet the following criteria:

GPO Configuration: A Group Policy Object must be active to automatically back up BitLocker recovery passwords to Active Directory.

RSAT Tools: The technician's machine needs the Remote Server Administration Tools (RSAT) installed, specifically including the BitLocker Recovery Password Viewer extension.

Access Rights: You must have delegated read access to the msFVE-RecoveryInformation objects in Active Directory (Domain Admins have this by default).

🖥️ Method 1: Using Active Directory Users and Computers (GUI)

This is the most common method for retrieving a key for a specific, known machine. Option A: Via the Computer Object

Open the Active Directory Users and Computers snap-in (dsa.msc).

Navigate to the Organizational Unit (OU) or container holding the target computer. Right-click on the computer object and select Properties. Navigate to the BitLocker Recovery tab.

Locate the matching Password ID (the first 8 digits displayed on the user's locked BitLocker screen) and copy the associated 48-digit recovery password. If you want, I can:

Option B: Searching by Key ID (When computer name is unknown)

In ADUC, right-click your domain container in the left pane. Select Find BitLocker Recovery Password.

Type the first 8 characters of the Password ID shown on the user's physical device. Click Search to extract the corresponding 48-digit string. ⌨️ Method 2: Using PowerShell (Fastest for Admins)

If you do not have the GUI extension installed or prefer working in the console, you can query Active Directory directly for the raw attributes. Option A: Query a Specific Computer

Replace "TARGET-COMPUTER-NAME" with the actual host name of the target machine: powershell

# Ensure Active Directory module is loaded Import-Module ActiveDirectory $Computer = "TARGET-COMPUTER-NAME" $DN = (Get-ADComputer $Computer).DistinguishedName # Query the associated recovery object Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -SearchBase $DN -Properties 'msFVE-RecoveryPassword' | Select-Object Name, msFVE-RecoveryPassword Use code with caution. Copied to clipboard Option B: Search the Entire Forest by Key ID

If you only possess the 8-character Key ID from the user's screen, run this command to find the correct machine and password: powershell

# Replace "12345678" with the first 8 digits of the user's Recovery Key ID $KeyID = "12345678*" Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -and Name -like $KeyID -Properties 'msFVE-RecoveryPassword' | Select-Object Name, msFVE-RecoveryPassword Use code with caution. Copied to clipboard ⚠️ Troubleshooting Missing Keys

If the BitLocker Recovery tab is missing or PowerShell returns no results for a valid computer:

Feature Not Installed: The BitLocker Drive Encryption Administration Utility (Password Viewer) might not be installed on your management console.

Keys Never Backed Up: If BitLocker was enabled before the GPO was applied, the key is not in Active Directory. You will need to manually push the backup from the client machine using:manage-bde -protectors -adbackup C: -id YOUR-PROTECTOR-ID BitLocker recovery process - Microsoft Learn To retrieve a BitLocker recovery key from Active

Retrieving a BitLocker recovery key from Active Directory (AD) is a standard process for IT administrators using Microsoft's BitLocker Recovery Password Viewer. This tool is an extension of the Active Directory Users and Computers (ADUC) snap-in. Prerequisites for Retrieval

Before you can view keys, ensure the following setup is in place:

Feature Installed: The "BitLocker Recovery Password Viewer" must be installed as part of the Remote Server Administration Tools (RSAT) on your management machine or domain controller.

GPO Configured: Computers must be configured via Group Policy to automatically back up recovery information to AD DS.

Permissions: You must have read access to the computer objects in AD; by default, this is restricted to Domain Administrators but can be delegated. Method 1: View Keys via Computer Object Properties

This method is best if you already know which computer is locked.

This only works if you enabled Active Directory Domain Services (AD DS) backup when you configured BitLocker via GPO.
(Path: Computer Config > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Choose how to recover BitLocker-protected OS drives > Save BitLocker recovery info to AD DS)

If that box wasn’t checked, AD won’t have your key. Stop reading and check your local backup (e.g., printed key, USB stick, or Microsoft account). If it was checked—let’s go.

Before attempting to retrieve a key, it is important to understand where it lives. When a device is domain-joined and BitLocker is enabled via Group Policy, the recovery password is stored as a child object of the computer account in Active Directory.

To view these keys, an administrator needs:

If you don’t see the BitLocker Recovery tab in ADUC, check these:

Scroll to Top