To retrieve a BitLocker recovery key from Active Directory (AD), you can use the built-in management console (GUI) or PowerShell. Both methods require that your domain controller has the BitLocker Recovery Password Viewer feature installed. Method 1: Using Active Directory Users and Computers (GUI)
This is the most common way to find a key for a specific device.
Open ADUC: Launch the Active Directory Users and Computers snap-in.
Locate the Computer: Find the specific computer object in its Organizational Unit (OU).
View Properties: Right-click the computer and select Properties.
BitLocker Recovery Tab: Click the BitLocker Recovery tab. You will see a list of recovery passwords and their associated dates.
Search by Password ID: If you have the 8-character Password ID from the recovery screen, right-click the Domain container, select Find BitLocker Recovery Password, and enter the ID to search. Method 2: Using PowerShell
PowerShell is faster for remote lookups or when you need to pull keys for multiple machines. get bitlocker recovery key from active directory
Bitlocker Recovery Key not showing in AD. - Spiceworks Community
Unlocking Access: How to Retrieve BitLocker Recovery Keys from Active Directory
In a managed enterprise environment, BitLocker is the gold standard for full-disk encryption. However, when a user is greeted by the blue recovery screen after a BIOS update or hardware change, the situation can quickly turn into a high-priority ticket.
If your organization is configured to back up these keys to Active Directory Domain Services (AD DS), you can retrieve them in seconds. This guide covers how to find those keys and what to do if the necessary tools are missing. Prerequisites for Success Before you can view keys, ensure the following are true:
Feature Installed: The BitLocker Recovery Password Viewer must be installed on your Domain Controller or management workstation via RSAT.
Permissions: You must have read access to the computer objects in AD. By default, only Domain Administrators have this, though it can be delegated.
GPO Configured: Keys only appear in AD if a Group Policy was active at the time of encryption to "store BitLocker recovery information in AD DS." Method 1: Using Active Directory Users and Computers (ADUC) To retrieve a BitLocker recovery key from Active
This is the most common way for helpdesk teams to find a key for a specific workstation.
Open ADUC: Launch the Active Directory Users and Computers snap-in.
Find the Computer: Navigate to the OU where the computer object is located.
Open Properties: Right-click the computer and select Properties.
BitLocker Recovery Tab: Select this tab to see all recovery passwords associated with that machine.
Note: If this tab is missing, see the troubleshooting section below. Method 2: Global Search by Password ID
If you don't know which computer the key belongs to, you can search using the Password ID (the first 8 characters shown on the user's recovery screen). Right-click your Domain container in ADUC. Select Find BitLocker Recovery Password. Enter the first 8 characters of the ID and click Search. Method 3: Quick Retrieval via PowerShell Run adsiedit
For those who prefer the CLI or need to automate reports, PowerShell is the fastest route. Use the following command (requires the Active Directory module): How to Query AD for BitLocker Details - Ask Garth
BitLocker provides an additional layer of security to computers by encrypting the hard drive. When BitLocker is enabled on a computer, it generates a recovery key, which can be stored in multiple locations, including a USB drive, a file on the computer, or most conveniently for organizations, in Active Directory. The integration with Active Directory allows administrators to manage and recover BitLocker keys across the organization efficiently.
Best for: Deep troubleshooting, corrupt permissions, or very old DCs.
adsiedit.msc → Connect to Default naming context.CN=Computers,DC=yourdomain,DC=com → right-click your computer object → Properties.msFVE-RecoveryInformation attribute.Losing a BitLocker recovery key can be a nerve-wracking experience, especially when a user is locked out of their device. If your organization utilizes Active Directory (AD) to back up recovery information, the key is safely stored and ready for retrieval by IT administrators.
This guide outlines the steps to locate and export BitLocker recovery keys using the Active Directory Users and Computers (ADUC) console and PowerShell.
For minimal environments without PowerShell, legacy command-line tools work.
dsquery * "CN=ComputerName,OU=Workstations,DC=domain,DC=com" -attr msFVE-RecoveryInformation
The output gives DNs of recovery objects. Then:
dsquery * "CN=GUID,CN=ComputerName,OU=Workstations,DC=domain,DC=com" -attr msFVE-RecoveryPassword
This is clumsy but functional.