Get Bitlocker Recovery Key From Active Directory »
Background
BitLocker is a full disk encryption feature in Windows that protects data on a computer by encrypting the entire drive. The BitLocker recovery key is a crucial component of this encryption, as it's used to unlock the drive in case the user forgets their password or the drive becomes corrupted.
Storing BitLocker recovery keys in Active Directory
In an Active Directory (AD) environment, BitLocker recovery keys can be stored in the user's account properties. This allows administrators to retrieve the recovery key if a user is unable to access their encrypted drive.
How to retrieve a BitLocker recovery key from Active Directory
To retrieve a BitLocker recovery key from AD, you'll need:
- Active Directory Users and Computers (ADUC): Open ADUC on a domain controller or a machine with the Remote Server Administration Tools (RSAT) installed.
- Find the user's account: Locate the user's account that corresponds to the computer with the encrypted drive.
- Properties: Right-click the user's account and select Properties.
- BitLocker Recovery tab: In the user's properties window, click on the BitLocker Recovery tab (this tab might not be visible by default; you might need to enable it).
- Recovery key: In the BitLocker Recovery tab, you'll see a list of recovery keys associated with the user's computer. Find the recovery key corresponding to the encrypted drive.
Alternatively, you can use PowerShell to retrieve the BitLocker recovery key from AD:
Get-ADComputer <computer_name> -Properties ms-FTP-Recovery | Select-Object -ExpandProperty ms-FTP-Recovery
Replace <computer_name> with the name of the computer with the encrypted drive.
Interesting paper
If you're interested in reading more about BitLocker and recovery key management, I recommend checking out the following papers:
- "BitLocker: A Deep Dive into Full Disk Encryption" by Microsoft (2015)
- "Managing BitLocker Recovery Keys in Active Directory" by Microsoft (2017)
Keep in mind that these papers might not be the most recent publications, but they still provide valuable insights into BitLocker and recovery key management. get bitlocker recovery key from active directory
Do you have any specific questions about retrieving BitLocker recovery keys from Active Directory or more information on these papers? I'm here to help!
Retrieving a BitLocker recovery key from Active Directory Domain Services (AD DS)
is a common task for IT administrators managing domain-joined Windows devices. This process requires that the organization has previously configured Group Policy Objects (GPOs)
to automatically back up BitLocker recovery information to AD. Microsoft Learn Prerequisites for Retrieval
To view recovery keys, you must meet the following requirements: Administrative Rights
: You generally need Domain Admin rights or specifically delegated permissions to view BitLocker recovery information. RSAT Tools Active Directory Users and Computers (ADUC) snap-in must be installed. BitLocker Recovery Password Viewer
: This specific Windows feature must be enabled on your domain controller or management workstation to add the "BitLocker Recovery" tab to computer object properties. askgarth.com Method 1: Using Active Directory Users and Computers (ADUC)
This is the most common graphical method for finding a specific computer's key: : Launch the snap-in on your management machine. Locate the Computer : Navigate to the Organizational Unit (OU) where the target computer object is stored. Open Properties : Right-click the computer object and select Properties Access Recovery Tab : Click the BitLocker Recovery
tab. All recovery keys ever backed up for that device will be listed here. Match the ID : Compare the Password ID
(the first 8 characters of the 48-digit key) with the one displayed on the user's locked screen to ensure you provide the correct key. Microsoft Learn Method 2: Searching by Password ID Background BitLocker is a full disk encryption feature
If you do not know the computer's name but have the 8-character Password ID from the recovery screen: In ADUC, right-click the or a specific container. Find BitLocker Recovery Password Enter the first 8 characters of the Password ID Microsoft Learn Method 3: Using PowerShell
To retrieve a BitLocker recovery key from Active Directory (AD) , you must have the BitLocker Recovery Password Viewer
feature installed on your domain controller or management workstation
. This tool adds a dedicated tab to computer objects within the Active Directory Users and Computers (ADUC) Microsoft Learn Prerequisites for Viewing Keys Feature Installation : On Windows Server, use the Add Roles and Features Wizard to install BitLocker Drive Encryption and the sub-feature BitLocker Recovery Password Viewer Group Policy
: A Group Policy Object (GPO) must be active to ensure recovery keys are automatically backed up to AD when BitLocker is enabled. Permissions : By default, only Domain Administrators have the rights to view these keys. Serverspace.io Method 1: Using Active Directory Users and Computers (ADUC)
This is the most common visual method for IT administrators. : Launch the Active Directory Users and Computers snap-in. Locate Computer
: Navigate to the Organizational Unit (OU) containing the computer. Open Properties : Right-click the computer object and select Properties BitLocker Recovery Tab : Click the BitLocker Recovery
tab to view all associated recovery passwords and their backup dates. Microsoft Learn Method 2: Searching by Password ID If you have the 8-character Password ID from the BitLocker recovery screen: , right-click the domain container. Find BitLocker Recovery Password Enter the first 8 characters of the ID and click Microsoft Learn Method 3: Using PowerShell For bulk retrieval or automation, use the ActiveDirectory Retrieve for a specific computer powershell $Computer = "ComputerName"
$DN = (Get-ADComputer $Computer).DistinguishedName
Get-ADObject - 'objectClass -eq "msFVE-RecoveryInformation"
' -SearchBase $DN -Properties msFVE-RecoveryPassword | Select-Object msFVE-RecoveryPassword Use code with caution. Copied to clipboard Stack Overflow What if the key is missing? BitLocker Recovery tab is missing or empty, it likely means: Recovery Password Viewer feature is not installed on your current machine. The drive was encrypted the GPO was applied. Manual Backup Required Active Directory Users and Computers (ADUC) : Open
: You can force a backup to AD from the client machine using: manage-bde -protectors -adbackup C: -id 'YOUR-KEY-ID' Microsoft Learn Group Policy settings
needed to ensure all future computers automatically save their keys to AD? BitLocker recovery process - Microsoft Learn
In Active Directory Users and Computers, right-click the domain container and select Find BitLocker Recovery Password. Microsoft Learn
Audit & Security Best Practices
- Limit who can read recovery keys; log and monitor access.
- Use a central escrow solution (e.g., Microsoft Endpoint Manager/Intune or a dedicated key escrow appliance) for better auditing and RBAC.
- Ensure recovered keys are transmitted/stored securely (encrypted at rest/in transit), and remove exported copies when finished.
Permissions & Audit Considerations
- Access to recovery keys should be restricted and audited. Grant minimal delegation to specific AD groups for msFVE-RecoveryInformation read access if needed.
- Enable auditing on access to msFVE-RecoveryInformation to track who retrieves keys.
Troubleshooting: “BitLocker Recovery Tab is Missing”
If you don’t see the BitLocker Recovery tab in ADUC, check these:
- Are you on an old domain functional level? The tab appears for Windows Server 2008 R2 and later.
- Did the key actually back up? Run this PowerShell check on a client machine:
manage-bde -protectors -get c:
Look for “Numerical Password” – if present but not in AD, the GPO backup setting was never enabled.
- Permissions: You need at least
Read access to the msFVE-RecoveryInformation objects. Domain Admins have it by default.
Method 5: Using Command Line (dsquery + dsget)
For minimal environments without PowerShell, legacy command-line tools work.
dsquery * "CN=ComputerName,OU=Workstations,DC=domain,DC=com" -attr msFVE-RecoveryInformation
The output gives DNs of recovery objects. Then:
dsquery * "CN=GUID,CN=ComputerName,OU=Workstations,DC=domain,DC=com" -attr msFVE-RecoveryPassword
This is clumsy but functional.
Troubleshooting Common Issues
"The Key Isn't There"
If you locate the computer object but find no recovery keys in the BitLocker tab, it means the key was never backed up to AD. This usually happens if:
- The machine was not connected to the domain when BitLocker was enabled.
- Group Policy settings were not configured to enforce backup.
- The machine is a "Workgroup" machine masquerading as domain-joined.
To resolve this, if the machine is currently accessible (unlocked), you can force a backup using the manage-bde command:
manage-bde -protectors -adbackup C:
Permissions Errors
Standard user accounts cannot read BitLocker recovery keys for security reasons. Even helpdesk staff may need specific delegation. To allow a specific group to retrieve keys, you must delegate "Read" permissions on the msFVE-RecoveryInformation object class to the specific OU containing the computers.
Troubleshooting: "No BitLocker Recovery Tab" or "Empty Tab"
| Symptom | Likely Cause | Fix |
|---------|--------------|-----|
| No BitLocker tab at all | GPO never backed up keys | Reconfigure BitLocker GPO and re-encrypt drives |
| Tab exists but no entries | Key escrow failed; or computer object moved after encryption | Check event log: Get-WinEvent -LogName "Microsoft-Windows-BitLocker-API/Management" |
| Tab has red X / access denied | Insufficient permissions | Use Delegation steps above |
| Key ID mismatch | Multiple recovery keys; user gave wrong ID | Read the first 8 digits of the recovery password shown in AD |
