powershell get bitlocker recovery key from ad

Powershell Get Bitlocker Recovery Key From Ad Jun 2026

: A GPO must be enabled under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption to "Store BitLocker recovery information in Active Directory Domain Services".

Replace <ou_name> with the name of the OU and <domain_name> with the domain name.

To retrieve BitLocker recovery keys for computers in a specific Organizational Unit (OU), use the following command: powershell get bitlocker recovery key from ad

How to Retrieve BitLocker Recovery Keys from Active Directory Using PowerShell Retrieving BitLocker recovery keys from Active Directory (AD) is a critical task for system administrators when a user is locked out of their device. While the Active Directory Users and Computers (ADUC) tool provides a graphical interface, PowerShell offers a faster and more scriptable way to pull these keys for one or multiple computers. Prerequisites Before you can retrieve recovery keys, ensure you meet these requirements: Elevated Permissions

: Typically requires Domain Admin, delegated BitLocker recovery permissions, or membership in BitLocker Recovery security group. : A GPO must be enabled under Computer

foreach ($computer in $computers) $recoveryInfo = Get-ADObject -Filter objectClass -eq 'msFVE-RecoveryInformation' -SearchBase $computer.DistinguishedName -Properties msFVE-RecoveryPassword, msFVE-RecoveryGuid, whenCreated

: A GPO must be active to force clients to back up their keys to AD. This is found under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption . While the Active Directory Users and Computers (ADUC)

if ($recoveryKeys) Write-Host "Found $($recoveryKeys.Count) BitLocker recovery key(s) for $ComputerName" -ForegroundColor Green foreach ($key in $recoveryKeys) Write-Host "`nRecovery Key ID: $($key.Name)" -ForegroundColor Yellow Write-Host "Recovery Password: $($key.msFVE-RecoveryPassword)" -ForegroundColor Cyan Write-Host "Created: $($key.whenCreated)" Write-Host "Volume GUID: $($key.'msFVE-VolumeGuid')"

catch Write-Error "Failed to retrieve recovery key: $($_.Exception.Message)"

: Keys only appear in AD if configured via Group Policy: Computer Configuration → Policies → Administrative Templates → Windows Components → BitLocker Drive Encryption → Choose how BitLocker-protected drives can be recovered

Back to top button