Get Bitlocker Recovery Key From Active Directory =link= Jun 2026

By default, Domain Admins and built-in administrators can read recovery passwords. However, a custom delegation may be needed for helpdesk staff (covered later).

$objComputer = Get-ADComputer COMPUTER_NAME $Bitlocker_Object = Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -SearchBase $objComputer.DistinguishedName -Properties 'msFVE-RecoveryPassword' $Bitlocker_Object.msFVE-RecoveryPassword Use code with caution.

This article is a step-by-step, technical deep dive on exactly using five different methods—from GUI tools to PowerShell automation.

: Because Mark had previously installed the BitLocker Recovery Password Viewer feature, a special BitLocker Recovery tab was visible. get bitlocker recovery key from active directory

You can manually force a client machine to upload its current key to Active Directory by running the following command on the local machine via an elevated Command Prompt:

Right-click your domain name at the top of the left navigation pane. Select .

For modern administrators or those managing headless servers, PowerShell offers a significantly faster way to retrieve keys without navigating the GUI. By default, Domain Admins and built-in administrators can

Once a recovery key is stored in AD, you can retrieve it using three primary methods: via the ADUC console, PowerShell, or third-party tools.

$SearchID = "E8A2B3C4" Get-ADObject -Filter "ObjectClass -eq 'msFVE-RecoveryInformation' -and Name -like '*$SearchID*'" -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword Use code with caution.

Use PowerShell to regularly audit all BitLocker recovery keys stored in AD. You can export a report of all keys to a CSV file for safekeeping: This article is a step-by-step, technical deep dive

: You can force a backup to AD from the client machine using: manage-bde -protectors -adbackup C: -id 'YOUR-KEY-ID' Microsoft Learn Group Policy settings

: The computer may have been encrypted before the "Store BitLocker recovery information in Active Directory Domain Services" Group Policy was enabled. Manual Backup Required

If the "BitLocker Recovery" tab is missing, it often indicates a schema update is required or the RSAT tools are not fully installed.

This only works if you enabled when you configured BitLocker via GPO. (Path: Computer Config > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Choose how to recover BitLocker-protected OS drives > Save BitLocker recovery info to AD DS )

By default, Domain Admins and built-in administrators can read recovery passwords. However, a custom delegation may be needed for helpdesk staff (covered later).

$objComputer = Get-ADComputer COMPUTER_NAME $Bitlocker_Object = Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -SearchBase $objComputer.DistinguishedName -Properties 'msFVE-RecoveryPassword' $Bitlocker_Object.msFVE-RecoveryPassword Use code with caution.

This article is a step-by-step, technical deep dive on exactly using five different methods—from GUI tools to PowerShell automation.

: Because Mark had previously installed the BitLocker Recovery Password Viewer feature, a special BitLocker Recovery tab was visible.

You can manually force a client machine to upload its current key to Active Directory by running the following command on the local machine via an elevated Command Prompt:

Right-click your domain name at the top of the left navigation pane. Select .

For modern administrators or those managing headless servers, PowerShell offers a significantly faster way to retrieve keys without navigating the GUI.

Once a recovery key is stored in AD, you can retrieve it using three primary methods: via the ADUC console, PowerShell, or third-party tools.

$SearchID = "E8A2B3C4" Get-ADObject -Filter "ObjectClass -eq 'msFVE-RecoveryInformation' -and Name -like '*$SearchID*'" -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword Use code with caution.

Use PowerShell to regularly audit all BitLocker recovery keys stored in AD. You can export a report of all keys to a CSV file for safekeeping:

: You can force a backup to AD from the client machine using: manage-bde -protectors -adbackup C: -id 'YOUR-KEY-ID' Microsoft Learn Group Policy settings

: The computer may have been encrypted before the "Store BitLocker recovery information in Active Directory Domain Services" Group Policy was enabled. Manual Backup Required

If the "BitLocker Recovery" tab is missing, it often indicates a schema update is required or the RSAT tools are not fully installed.

This only works if you enabled when you configured BitLocker via GPO. (Path: Computer Config > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Choose how to recover BitLocker-protected OS drives > Save BitLocker recovery info to AD DS )