Get Bitlocker Recovery Key From Active Directory Direct
Remember that the BitLocker recovery key provides full access to the encrypted drive data. Always verify the identity of the user requesting the key before providing it. If possible, provide the key verbally rather than via email to maintain a secure chain of custody.
When the GUI or PowerShell fails, ADSI Edit provides raw access to the directory. Use with caution.
This method is only for troubleshooting when standard tools are broken—or when you need to audit recovery keys across the domain.
This only works if you enabled Active Directory Domain Services (AD DS) backup when you configured BitLocker via GPO.
(Path: Computer Config > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Choose how to recover BitLocker-protected OS drives > Save BitLocker recovery info to AD DS)
If that box wasn’t checked, AD won’t have your key. Stop reading and check your local backup (e.g., printed key, USB stick, or Microsoft account). If it was checked—let’s go.
Best for: 1-2 machines, help desk teams. get bitlocker recovery key from active directory
Pro tip: Type the 48 digits carefully. One wrong digit locks you out for another hour.
Import-Module ActiveDirectory
$ou = "OU=Computers,DC=example,DC=com" # adjust to your OU
Get-ADObject -SearchBase $ou -Filter 'objectClass -eq "msFVE-RecoveryInformation"' -Properties msFVE-RecoveryPassword, msFVE-RecoveryGuid, whenCreated, msFVE-RecoveryOwner |
Select-Object @Name='ComputerDN';Expression=$_.DistinguishedName -replace '^.*?CN=([^,]+),.*$','$1', msFVE-RecoveryGuid, msFVE-RecoveryPassword, whenCreated |
Export-Csv -Path C:\Temp\BitLockerRecoveryKeys.csv -NoTypeInformation
Notes:
It happens to every IT admin at least once. A user calls on a Monday morning: "My laptop is asking for a 48-digit recovery key, and I have no idea what it is."
If you’ve properly configured Active Directory (AD) to back up BitLocker keys (either via Group Policy or Microsoft BitLocker Administration and Monitoring (MBAM)), you can easily retrieve that key. Without it, the data on the drive is effectively lost.
In this guide, I’ll walk you through four proven methods to get a BitLocker recovery key from Active Directory. Remember that the BitLocker recovery key provides full
Prerequisite: This assumes your organization enabled BitLocker recovery key backup to AD. If you haven’t, check your Group Policy: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how BitLocker-protected operating system drives can be recovered.
$computerName = "WS-LAPTOP-0452" $computerDN = (Get-ADComputer $computerName).DistinguishedName Get-ADObject -Filter ObjectClass -eq 'msFVE-RecoveryInformation' -SearchBase $computerDN -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword, Created
Output example:
Name msFVE-RecoveryPassword Created
---- ----------------------- -------
6b6b6b6b-1111-4444-9999-abcdef123456 456123-789456-123789-456123-... 2025-02-10
Match by Key ID:
If the user gives you the 8-digit “Key ID” from the recovery screen, filter like this:
$keyID = "6B6B6B6B"
Get-ADObject -Filter ObjectClass -eq 'msFVE-RecoveryInformation' -SearchBase "OU=Workstations,DC=domain,DC=com" -Properties msFVE-RecoveryPassword,msFVE-RecoveryGuid | Where-Object $_.Name -match $keyID | Select-Object msFVE-RecoveryPassword
For helpdesk automation (script example): This method is only for troubleshooting when standard
param( [Parameter(Mandatory=$true)] [string]$ComputerName,[Parameter(Mandatory=$true)] [string]$KeyID)
$computer = Get-ADComputer $ComputerName -ErrorAction Stop $recovery = Get-ADObject -Filter "Name -like '$KeyID'" -SearchBase $computer.DistinguishedName -Properties msFVE-RecoveryPassword
if ($recovery) Write-Host "Recovery Key: $($recovery.msFVE-RecoveryPassword)" -ForegroundColor Green else Write-Host "No matching recovery key found for Key ID: $KeyID" -ForegroundColor Red
Retrieving BitLocker recovery keys from Active Directory involves several steps: