Retrieving BitLocker recovery keys from Active Directory involves several steps:
This method is best if you already know which computer is locked.
Before proceeding, ensure you have the following:
On a domain controller or a machine with Remote Server Administration Tools (RSAT) installed, open Active Directory Users and Computers ( dsa.msc ). get bitlocker recovery key from active directory
If you do not know the computer's name but have the 8-character Password ID from the recovery screen: In ADUC, right-click the or a specific container. Find BitLocker Recovery Password Enter the first 8 characters of the Password ID Microsoft Learn Method 3: Using PowerShell
$keyID = "6B6B6B6B" Get-ADObject -Filter ObjectClass -eq 'msFVE-RecoveryInformation' -SearchBase "OU=Workstations,DC=domain,DC=com" -Properties msFVE-RecoveryPassword,msFVE-RecoveryGuid | Where-Object $_.Name -match $keyID | Select-Object msFVE-RecoveryPassword
How to Get BitLocker Recovery Key from Active Directory: A Complete Guide Find BitLocker Recovery Password Enter the first 8
When the GUI or PowerShell fails, ADSI Edit provides raw access to the directory. Use with caution.
$computerName = "WS-LAPTOP-0452" $computerDN = (Get-ADComputer $computerName).DistinguishedName Get-ADObject -Filter ObjectClass -eq 'msFVE-RecoveryInformation' -SearchBase $computerDN -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword, Created
To manage BitLocker recovery keys effectively in AD: For devices joined to instead of local Active
: The "BitLocker Recovery Password Viewer" must be installed as part of the Remote Server Administration Tools (RSAT) on your management machine or domain controller.
For devices joined to instead of local Active Directory, administrators can find keys by navigating to Microsoft Entra ID > Devices and selecting "Show Recovery Key" for the specific device.