AD: BitLocker Recovery Key

By | September 12, 2021

Many laptops ship with BitLocker enabled by default. Without the key, there is no possible way to access the data in the event that the PC fails. To Backup this key run this in PowerShell:

manage-bde -protectors -get C:

The Key is stored in AD and can be viewed with his:

$objComputer = Get-ADComputer LAP001

$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq ‘msFVE-RecoveryInformation’} -SearchBase $objComputer.DistinguishedName -Properties ‘msFVE-RecoveryPassword’


To automatically Backup keys via GPO Add this policy:

  1. Create GPO “BitLocker” in root & Enforce
  2.  Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Enable (defaults): “Store BitLocker recovery information in Active Directory Domain Services“.
  3. Expand BitLocker Drive Encryption in the left pane. For each of the three nodes, Fixed Data Drives, Operating System Drives, Removable Data Drives > Enable (defaults) “Choose how BitLocker-protected fixed drives can be recovered“.