For those who prefer the CLI or need to automate reports, PowerShell is the fastest route. Use the following command (requires the Active Directory module): How to Query AD for BitLocker Details - Ask Garth
This is the traditional GUI method, preferred by administrators who manage objects visually.
To force computers to back up their keys automatically, you must configure a Group Policy. This is the most reliable method for enterprise environments.
| Issue | Fix | | :--- | :--- | | | You need "Advanced Features" enabled in ADUC (View menu). | | The computer object has no child entries | BitLocker wasn't backed up to AD. Check GPO again. | | The key doesn't work | You grabbed the wrong key. Verify the Key ID on the user’s screen matches the Key ID in AD. | | PowerShell returns nothing | Run as Domain Admin. Also try -Properties * – some attributes are not visible by default. |
If you navigate to a computer object and the BitLocker Recovery tab is empty, consider the following common pitfalls: get bitlocker recovery key from active directory
The Active Directory Administrative Center provides a modern interface to locate backup keys. Press Win + R , type dsac.exe , and press .
If the computer exists in AD but the tab is empty, the key was likely never backed up. You can manually force a backup from the client machine if you still have access to the OS: Command Prompt (Admin) :
Keep in mind that these papers might not be the most recent publications, but they still provide valuable insights into BitLocker and recovery key management.
Always configure GPOs to "Choose how BitLocker-protected operating system drives can be recovered" and check "Do not enable BitLocker until recovery information is stored in AD DS". For those who prefer the CLI or need
The most common graphical method utilizes the snap-in. To see the dedicated BitLocker tab, you must have the BitLocker Drive Encryption Administration Utilities installed via the Remote Server Administration Tools (RSAT) package. Step-by-Step Retrieval: Press Win + R , type dsa.msc , and press Enter to open ADUC.
, are installed on the server via the "Add Roles and Features" wizard. GPO Not Applied
$ComputerName = "DESKTOP-JOHN01"
: Match the Password ID (the first 8 characters shown on the locked PC) with the list in AD to find the correct 48-digit key. This is the most reliable method for enterprise environments
: If you don’t see the BitLocker tab in ADUC, ensure the "BitLocker Recovery Password Viewer" feature is enabled in Windows Features.
Name msFVE-RecoveryPassword Created ---- ----------------------- ------- 6b6b6b6b-1111-4444-9999-abcdef123456 456123-789456-123789-456123-... 2025-02-10
: There, listed clearly with its associated Date and Password ID, was the 48-digit recovery password. The Resolution
You can find interactive PowerShell scripts, such as the open-source BLK_retrieval.ps1 on GitHub, which asks for a system name and returns the associated recovery key directly in the terminal.