This is the most common method for retrieving a single key for a specific user or computer.
Step 1: Open Active Directory Users and Computers
Log in to your administrative workstation or Domain Controller and open dsa.msc (Active Directory Users and Computers).
Step 2: Enable "Advanced Features" BitLocker recovery keys are stored in a hidden system container. To see it:
Step 3: Locate the Computer Object Navigate to the Organizational Unit (OU) where the computer resides. Right-click the computer object and select Properties.
Step 4: Find the BitLocker Tab
Step 5: View the Key Select the appropriate recovery key ID (it usually matches the Key ID displayed on the user's BitLocker lock screen) and click View. You can now copy the 48-digit numerical password.
Get-ADObject -Filter ObjectClass -eq 'msFVE-RecoveryInformation' -SearchBase "CN=ComputerName,OU=Workstations,DC=domain,DC=com" -Properties msFVE-RecoveryPassword
Retrieving a BitLocker recovery key from Active Directory is a fundamental skill for Windows system administrators. While the GUI provides a clear interface for occasional lookups, PowerShell remains the superior tool for scripting and speed. By understanding the storage architecture and ensuring proper permissions are set, IT teams can ensure that a locked laptop remains a minor inconvenience rather than a data loss disaster.
To retrieve a BitLocker recovery key from Active Directory (AD), you must first ensure that the domain is configured to store these keys and that the necessary administration tools are installed. 1. Prerequisites
Before you can view recovery keys, your environment must meet these requirements:
Feature Installation: The "BitLocker Recovery Password Viewer" must be installed on your Domain Controller or the machine running Remote Server Administration Tools (RSAT).
Group Policy (GPO): A GPO must be active that mandates backing up BitLocker recovery information to Active Directory Domain Services (AD DS). get bitlocker recovery key from active directory
Permissions: You generally need Domain Admin rights or delegated permissions to view the sensitive msFVE-RecoveryInformation objects.
2. Method 1: Using Active Directory Users and Computers (ADUC)
This is the standard graphical method for retrieving a key for a specific known device.
You can retrieve a BitLocker recovery key from Active Directory using Active Directory Users and Computers (ADUC) or PowerShell. This document covers both approaches, as well as the prerequisites required to make them work. 📋 Prerequisites
Before you can view or extract BitLocker keys, your environment must meet the following criteria:
GPO Configuration: A Group Policy Object must be active to automatically back up BitLocker recovery passwords to Active Directory.
RSAT Tools: The technician's machine needs the Remote Server Administration Tools (RSAT) installed, specifically including the BitLocker Recovery Password Viewer extension.
Access Rights: You must have delegated read access to the msFVE-RecoveryInformation objects in Active Directory (Domain Admins have this by default).
🖥️ Method 1: Using Active Directory Users and Computers (GUI)
This is the most common method for retrieving a key for a specific, known machine. Option A: Via the Computer Object
Open the Active Directory Users and Computers snap-in (dsa.msc). This is the most common method for retrieving
Navigate to the Organizational Unit (OU) or container holding the target computer. Right-click on the computer object and select Properties. Navigate to the BitLocker Recovery tab.
Locate the matching Password ID (the first 8 digits displayed on the user's locked BitLocker screen) and copy the associated 48-digit recovery password.
Option B: Searching by Key ID (When computer name is unknown)
In ADUC, right-click your domain container in the left pane. Select Find BitLocker Recovery Password.
Type the first 8 characters of the Password ID shown on the user's physical device. Click Search to extract the corresponding 48-digit string. ⌨️ Method 2: Using PowerShell (Fastest for Admins)
If you do not have the GUI extension installed or prefer working in the console, you can query Active Directory directly for the raw attributes. Option A: Query a Specific Computer
Replace "TARGET-COMPUTER-NAME" with the actual host name of the target machine: powershell
# Ensure Active Directory module is loaded Import-Module ActiveDirectory $Computer = "TARGET-COMPUTER-NAME" $DN = (Get-ADComputer $Computer).DistinguishedName # Query the associated recovery object Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -SearchBase $DN -Properties 'msFVE-RecoveryPassword' | Select-Object Name, msFVE-RecoveryPassword Use code with caution. Copied to clipboard Option B: Search the Entire Forest by Key ID
If you only possess the 8-character Key ID from the user's screen, run this command to find the correct machine and password: powershell
# Replace "12345678" with the first 8 digits of the user's Recovery Key ID $KeyID = "12345678*" Get-ADObject -Filter objectclass -eq 'msFVE-RecoveryInformation' -and Name -like $KeyID -Properties 'msFVE-RecoveryPassword' | Select-Object Name, msFVE-RecoveryPassword Use code with caution. Copied to clipboard ⚠️ Troubleshooting Missing Keys
If the BitLocker Recovery tab is missing or PowerShell returns no results for a valid computer: Step 3: Locate the Computer Object Navigate to
Feature Not Installed: The BitLocker Drive Encryption Administration Utility (Password Viewer) might not be installed on your management console.
Keys Never Backed Up: If BitLocker was enabled before the GPO was applied, the key is not in Active Directory. You will need to manually push the backup from the client machine using:manage-bde -protectors -adbackup C: -id YOUR-PROTECTOR-ID BitLocker recovery process - Microsoft Learn
$ComputerName = "DESKTOP-JOHN01"
Q: Can I get the BitLocker key if AD was never configured to back it up?
A: No. Without backup, the only way is to locate the original printed key, the key stored in Microsoft Account (personal devices only), or use the Data Recovery Agent (if configured).
Q: Does this work for removable drives (USB, external HDD)?
A: Yes, if Group Policy also backs up removable drive recovery information.
Q: How long are recovery keys stored in AD?
A: Indefinitely, until the computer object is deleted or a script manually removes the msFVE-RecoveryInformation child objects.
Q: Can I retrieve the key from AD if the computer is offline or off-domain?
A: Yes. The key is stored in the directory, not on the client. Offline doesn't matter.
Unlocking encrypted drives without data loss—using native Windows Server tools.
You’re standing at a user’s desk. Their laptop is displaying the grim blue screen of the BitLocker Recovery Console. They don’t have the 48-digit recovery key. Without it, the drive is effectively a brick—and so is their productivity.
If your organization uses Active Directory (AD) and configured Group Policy to back up BitLocker recovery information, you are in luck. The key is likely waiting for you in the msFVE-RecoveryInformation attribute of the computer object.
This article is a step-by-step, technical deep dive on exactly how to get a BitLocker recovery key from Active Directory using five different methods—from GUI tools to PowerShell automation.