Retrieve BitLocker Recovery Key

Quick intro

BitLocker is like backup. It’s good to have it. It’s better to have the restore verified as well.

If you’re planning to implement BitLocker into your organization (or already have that), it’s good to know what’s the choice of storing the recovery password:

  • print
  • save to a file – either usb stick or unc share
  • backup to ActiveDirectory
  • backup to Azure ActiveDirectory
  • use MBAM

More information can be found here.

For me, the best approach would be to:

  • use GPO to encrypt end user device AND store the password in Active Directory

This can be configured here: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Store BitLocker recovery information in Acive Directory Domain Services.

This also ensures that encryption won’t start if recovery key failed to be backed up to AD.

  • use Intune and encrypt user device AND store the password in Azure Active Directory with self-service key recovery feature

This doesn’t introduce the cost of MBAM or SCCM.

What if you already have your drives encrypted, and now want to improve the process od recovering information? As always – PowerShell to the rescue. To send information to AD we can use Backup-BitLockerKeyProtector. It can accept either KeyProtectorID or the ID itself. Retrieving those is simple.

Ways to get BitLocker recovery key information to AD and Azure AD


We can get the information using manage-bde tool:

Retrieve information

Send to AD


This is more fun (objects) do I’ll describe this. Let’s first get information about our volumes:

As you can see I have only one drive, encrypted with TPM. To get the information we require just select-object

This returns two objects for each drive. We’re interested in the second object

Let’s store the information to ActiveDirectory now:

If I would have more drives, this would come in handy:

$BitLockerVolumes = Get-BitLockerVolume
foreach ($blv in $BitLockerVolumes) {
Backup-BitLockerKeyProtector MountPoint $blv.MountPoint KeyProtectorId (($blv.KeyProtector)[1] | Select-Object ExpandProperty KeyProtectorID)
VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
———- —– ———- ———— ———- ———— ———- ———-
OperatingSystem C: 236.22 FullyEncrypted 100 {Tpm, RecoveryPassword} On

view raw


hosted with ❤ by GitHub

Azure Active Directory

Same goes with sending RecoveryKey to Azure AD, this time with BackupToAAD-BitLockerKeyProtector:

$BitLockerVolumes = Get-BitLockerVolume
foreach ($blv in $BitLockerVolumes) {
BackupToAADBitLockerKeyProtector MountPoint $blv.MountPoint KeyProtectorId (($blv.KeyProtector)[1] | Select-Object ExpandProperty KeyProtectorID)
VolumeType Mount CapacityGB VolumeStatus Encryption KeyProtector AutoUnlock Protection
Point Percentage Enabled Status
———- —– ———- ———— ———- ———— ———- ———-
OperatingSystem C: 236.22 FullyEncrypted 100 {Tpm, RecoveryPassword} On

view raw


hosted with ❤ by GitHub

 Retrieve RecoveryKey

From AD

Now the best part – how to get the information back. Since Windows 2008 BitLocker Recovery Key is stored in AD in msFVE-RecoveryInformation objectclass aassociated to Computer. To get that we first need to get Computer Object and then search Active Directory for ObjecClass of given type. This is assuming your account have rights to read the information from AD in the first place! (great article here)

$ComputerName = 'nbmczerniawski2'
$DNComputer = Get-ADComputer $computerName | Select-Object ExpandProperty DistinguishedName
$obj = get-adobject Filter {objectclass -eq 'msFVE-RecoveryInformation'} SearchBase $DNComputer Properties 'msFVE-RecoveryPassword' | Select-Object Name,msFVERecoveryPassword
ComputerName = $ComputerName
RecoveryPassword = $obj.'msFVE-RecoveryPassword'
Date = Get-Date Date ($obj.Name ).Split('{')[0]
KeyID = (($obj.Name ).Split('{')[1]).TrimEnd('}')

view raw


hosted with ❤ by GitHub

I’m using custom objects for better readability. Date shiws when the drive was encrypted, not when the information was backed up.

From Azure AD

There is a delay between using BackupToAAD-BitLockerKeyProtector and the information showing on AzureAD. Give it time to synchronize 🙂

Go to, go to the “Profile” page and see all the registered devices:

From there You can view the recovery password for You devices.

Btw – it’s not very intuitive – You cannot access this informatorom directly from -> profie pages.

10 thoughts on “Retrieve BitLocker Recovery Key

  1. hi i need a help plz i lock my D drive to bitlocker and i lost of my both of password or key plz help me how i open to my drive to without bitlocker recovrey key or password


    1. Without key or password you’ll do nothing. If that would be on the same system You could try to unlock it (if keys were in TPM). Else – sorry, but that’s the power of encryption – no key=no data.


  2. Is there any way to back up the recovery keys using a csv file with the computer names and the recovery Id for each? MS is ending MBAM support so we are trying to see if it is possible to import the keys from a list instead of running a command on each machine (scripted or not)


      1. Invoke-Command throws he following error, but running it from the local machine works fine.

        The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed. (Exception from HRESULT: 0x8031000A)


  3. My PS as admin opens to c, system 32. Can’t cd to admin tools, not found. Cmd you posted doesn’t work.i can run it, no errors, but nothing onscreen.

    PS: Wish people who write these great articles would place the code outside of the image making it accessible for copy and paste.


    1. The page/code has been moved to
      You need to have AdminTools folder on your C drive created or… move to any other folder. Copying and running scripts from the internet directly may be.. dangerous sometimes. It’s good to review them first:).

      As for the code – apart from images I’ve also posted code as github gists – from which you can copy those. So code you should be able to run – is in gists. Few first are just to demonstrate/show output.
      Also – this is an old article – I was still learning the platform back then. Since then I tend to get the code directly on the page as code blocks.:)

      Thanks for the comment 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s