The key isn’t stored in a simple text field on the computer object. That would be too easy—and too dangerous.
If you have the Remote Server Administration Tools (RSAT) installed, you may have a dedicated tool.
But you’re smart. You mandated BitLocker. And you told Group Policy to “Save BitLocker recovery information to Active Directory.” where is bitlocker key stored in active directory
Get-ADObject -LDAPFilter "(objectClass=msFVE-RecoveryInformation)" -SearchBase "OU=Laptops,DC=Domain,DC=Local" -Properties msFVE-RecoveryPassword | Select-Object DistinguishedName, msFVE-RecoveryPassword
Instead, Active Directory treats each BitLocker recovery key as a linked to the computer. The object class is called msFVE-RecoveryInformation (FVE = Full Volume Encryption, Microsoft’s internal code name for BitLocker). The key isn’t stored in a simple text
Imagine you’re a system administrator. A user’s laptop is dead—motherboard fried, SSD ripped out of its original home. The data is critical. The drive is sealed with 128-bit or 256-bit AES encryption. Without the key, that SSD is a $50 paperweight.
You can give Helpdesk “Read” access to the computer object but not to its child recovery objects. That means they can see the machine exists but not unlock its drive. Only a specific security group (e.g., “BitLocker Recovery Admins”) can read msFVE-RecoveryInformation . But you’re smart
Specifically, they are stored in objects of the class, which contain the 48-digit recovery password in the msFVE-RecoveryPassword attribute. 🛠️ How to Find the Key
Get-ADObject -Filter objectClass -eq 'msFVE-RecoveryInformation' -SearchBase "OU=Workstations,DC=contoso,DC=com" -Properties msFVE-RecoveryPassword, msFVE-VolumeGuid | Where-Object $_.DistinguishedName -like "*CN=ProblemPC*"