Unlocking Access: How to Retrieve BitLocker Recovery Keys from Active Directory

Troubleshooting

• No recovery keys found for a device:

  RSAT or a Domain Controller accessible.
  You need either the Remote Server Administration Tools (RSAT) on your management PC or direct RDP access to a Domain Controller.

  Open the Active Directory Users and Computers snap-in (dsa.msc).

  1. Active Directory schema update: Ensure that your Active Directory schema is updated to support BitLocker recovery key storage. This requires at least Windows Server 2008 R2 or later.
  2. BitLocker enabled: BitLocker must be enabled on the computers that will store recovery keys in AD.
  3. Domain controller permissions: You need to have administrative permissions on the domain controller to configure and retrieve BitLocker recovery keys.
  • msFVE-RecoveryPassword — the 48-digit key
  • msFVE-RecoveryGuid — recovery object GUID
  • msFVE-RecoveryOwner — linking to the computer object
  • Recovery Password: 238947-... (the 48-digit key)
  • Creation Date
  • Key ID (matches the one on the lock screen)