Vodafone.com
Vodafone Business
Vodafone Procure & Connect
Our sites

Vodafone websites

Are you looking for information about offers, devices or your account?
Please choose your local Vodafone website.

Africa

Asia Pacific

Europe

Close

Get Bitlocker Recovery Key From Active Directory - 

Import-Module ActiveDirectory
$computer = "COMPUTERNAME"
Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation' -and msFVE-RecoveryPassword -like '*'" -SearchBase (Get-ADComputer $computer).DistinguishedName -Properties msFVE-RecoveryPassword, whenCreated | 
 Select-Object @Name='Computer';Expression=$computer, msFVE-RecoveryPassword, whenCreated

Run on the client:

manage-bde -protectors -get C:

This shows protector types and the Numerical Password ID (matches msFVE-RecoveryGuid in AD) and confirms if a recovery password exists.

This guide covers how to locate and recover BitLocker recovery keys stored in Active Directory for Windows domain-joined devices, using both the AD web UI and PowerShell for bulk lookups.

Best for: 1-2 machines, help desk teams.

Pro tip: Type the 48 digits carefully. One wrong digit locks you out for another hour.

The ability to get a BitLocker recovery key from Active Directory separates reactive IT firefighting from proactive, scalable management. Whether you click through ADUC, run a PowerShell one-liner, or build a delegated helpdesk portal, the key is already there—if you configured backup at encryption time.

Next steps for your organization:

Your users will thank you when that blue recovery screen appears—and you hand them the golden 48-digit key in under a minute.

Keywords: get BitLocker recovery key from Active Directory, BitLocker AD recovery, msFVE-RecoveryPassword, BitLocker recovery key ID match, Active Directory BitLocker tab missing, PowerShell get BitLocker recovery key

This guide covers the various methods to retrieve a BitLocker recovery key from Active Directory, ensuring you can regain access to your data quickly and securely. Prerequisites: Is the Key in AD?

Before attempting these steps, ensure your environment is configured for BitLocker backup. For a key to exist in AD: The computer must be domain-joined.

Group Policy Objects (GPO) must be configured to store BitLocker recovery information in AD DS.

BitLocker must have been enabled after these policies were applied (or manually backed up via command line). Method 1: Using Active Directory Users and Computers (ADUC)

This is the most common method for IT administrators. To use this, you need the BitLocker Recovery Password Viewer feature installed (part of RSAT). Open ADUC: Press Win + R, type dsa.msc, and hit Enter.

Locate the Computer: Browse to the Organizational Unit (OU) where the computer object resides.

Open Properties: Right-click the computer object and select Properties.

BitLocker Recovery Tab: Click the BitLocker Recovery tab. Here, you will see a list of all recovery passwords associated with that specific machine. get bitlocker recovery key from active directory

Verify the ID: Match the Password ID (the first 8 characters shown on the locked PC) with the list in AD to find the correct 48-digit key.

Method 2: Using Active Directory Administrative Center (ADAC)

If you prefer a more modern interface or need to search globally across the domain, ADAC is an excellent choice.

Open ADAC: Type "Active Directory Administrative Center" in your Start menu.

Global Search: Click on the search icon or the local domain on the left.

Add Criteria: Click Add Criteria and select BitLocker Recovery Key.

Search by ID: Enter the 8-digit Recovery Key ID provided on the user's BitLocker recovery screen.

View Results: The search will return the specific recovery object containing the full 48-digit password. Method 3: Using PowerShell (The Fastest Way)

PowerShell is ideal for admins who want to skip the GUI. You will need the ActiveDirectory module installed.

Run the following command, replacing ComputerName with the actual name of the machine: powershell

$Computer = Get-ADComputer -Identity "ComputerName" Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $Computer.DistinguishedName -Properties msFVE-RecoveryPassword | Select-Object msFVE-RecoveryPassword Use code with caution.

Alternatively, if you only have the Recovery ID, use this script: powershell

Get-ADObject -Filter "Name -like '*RecoveryID*'" -Properties msFVE-RecoveryPassword Use code with caution. Method 4: Self-Service via BitLocker Portal (MBAM)

If your organization uses Microsoft BitLocker Administration and Monitoring (MBAM), users may be able to retrieve their own keys without contacting the help desk.

Navigate to your organization’s Help Desk Portal or Self-Service Portal URL. Enter the Key ID and the reason for the request.

The portal will provide the 48-digit key if the user is authorized for that device. Troubleshooting: Why is the key missing? Run on the client: manage-bde -protectors -get C:

If you followed the steps above and found no "BitLocker Recovery" tab or no keys listed, consider the following:

Permissions: You must have Domain Admin rights or delegated permissions to view sensitive attributes.

RSAT Missing: If you don’t see the BitLocker tab in ADUC, ensure the "BitLocker Recovery Password Viewer" feature is enabled in Windows Features.

Key Not Backed Up: The device may have been encrypted before the AD backup policy was active. You can force a backup to AD from the client machine using:manage-bde -protectors -adbackup C: -id Your-Protector-ID Best Practices for the Future

Audit Policies: Regularly check that your GPOs are correctly forcing backups to AD.

Azure AD / Entra ID: If you are in a hybrid or cloud-only environment, check the Microsoft Entra (Azure AD) device portal, as keys for Intune-managed devices are stored there instead of local AD.

Retrieving a BitLocker recovery key Active Directory Domain Services (AD DS)

is a standard administrative task for IT professionals managing domain-joined Windows devices. When BitLocker is configured via Group Policy to back up recovery information to AD DS, the 48-digit recovery password is saved as a child object of the computer's Active Directory object. Prerequisites for Key Retrieval

Before you can view these keys, your environment must meet specific requirements: Administrative Permissions : By default, only Domain Administrators

have the necessary read access to BitLocker recovery objects, though this permission can be delegated to specific security groups. RSAT Tools : The machine you are using must have Remote Server Administration Tools (RSAT) installed. Recovery Password Viewer

: The "BitLocker Recovery Password Viewer" feature must be enabled on your domain controller or administrative workstation to reveal the "BitLocker Recovery" tab in computer properties. Method 1: Using Active Directory Users and Computers (ADUC) The most common graphical method involves using the Active Directory Users and Computers (ADUC) snap-in: Locate the Device

: Open ADUC and navigate to the Organizational Unit (OU) containing the target computer object. Access Properties : Right-click the computer object and select Properties View Recovery Key : Select the BitLocker Recovery

tab. All recovery passwords associated with that specific machine will be listed. Verify the Key ID

: Match the "Password ID" (the first 8 characters are usually sufficient) shown on the user's BitLocker recovery screen with the one in AD to ensure you provide the correct 48-digit key. Method 2: Searching by Password ID If you do not know the computer name but have the Password ID from the recovery screen: Right-click your domain in the left pane of ADUC and select Find BitLocker recovery password

Enter the first eight characters of the Password ID and click

. AD will locate any matching computer objects containing that recovery key. Method 3: Using PowerShell For bulk retrieval or faster access, you can use the Active Directory PowerShell module COMPUTERNAME with the actual name of the target device: powershell $computer = Get-ADComputer COMPUTERNAME Get-ADObject - 'objectClass -eq "msFVE-RecoveryInformation" This shows protector types and the Numerical Password

' -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword' | Select-Object Name, msFVE-RecoveryPassword Use code with caution. Copied to clipboard This script targets the msFVE-RecoveryInformation

object class, which holds the encrypted volume's recovery details. Troubleshooting Missing Keys BitLocker Recovery tab is missing or empty: Feature Not Installed : Ensure the BitLocker Drive Encryption feature and its sub-feature, BitLocker Recovery Password Viewer

, are installed on the server via the "Add Roles and Features" wizard. GPO Not Applied

: The computer may have been encrypted before the "Store BitLocker recovery information in Active Directory Domain Services" Group Policy was enabled. Manual Backup Required

: For "old" computers that were encrypted before the policy, you may need to manually trigger a backup to AD using the Manage-bde -protectors -adbackup C: -id ID command or the Backup-BitLockerKeyProtector PowerShell cmdlet. PowerShell script to export all BitLocker recovery keys from a specific Organizational Unit (OU) Where do BitLocker recovery keys get stored in AD? 8 Jun 2017 —

To retrieve a BitLocker recovery key from Active Directory (AD), you can use the built-in management console (GUI) or PowerShell. Both methods require that your domain controller has the BitLocker Recovery Password Viewer feature installed. Method 1: Using Active Directory Users and Computers (GUI)

This is the most common way to find a key for a specific device.

Open ADUC: Launch the Active Directory Users and Computers snap-in.

Locate the Computer: Find the specific computer object in its Organizational Unit (OU).

View Properties: Right-click the computer and select Properties.

BitLocker Recovery Tab: Click the BitLocker Recovery tab. You will see a list of recovery passwords and their associated dates.

Search by Password ID: If you have the 8-character Password ID from the recovery screen, right-click the Domain container, select Find BitLocker Recovery Password, and enter the ID to search. Method 2: Using PowerShell

PowerShell is faster for remote lookups or when you need to pull keys for multiple machines.

Bitlocker Recovery Key not showing in AD. - Spiceworks Community

Title: How to Get a BitLocker Recovery Key from Active Directory (Step-by-Step)

Meta Description: Lost your BitLocker PIN or had a TPM hardware change? Here’s exactly how to retrieve the 48-digit recovery key from Active Directory using ADUC, PowerShell, and Advanced Tools.

If the key is not found, the machine may have been encrypted before the Group Policy enforcing AD backup was applied.

Retrieving BitLocker recovery keys from Active Directory involves several steps: