Skip to content

Display Bitlocker Recovery Key in Active Directory

When Bitlocker is enabled on workstation/ laptop in your entreprise, you must have a solution to get the recovery key of the hard drive. In some cases, Bitlocker can prompt to the user the Recovery key if it detects a specific behavior like partition changes.

The easiest solution is to use Active Directory Users And Computers console. This can only be possible if you set in the GPO to store Recovery Key into Active Directory.

With Active Directory Users And Computers, we can:

  • Display Bitlocker Recovery key for one computer.
  • Search in all Active Directory for a Password ID.
  • Delegate Rights to display confidential information.

Feature installation

Before searching your computer in Active Directory, you need to install a plugin to display Bitlocker Recovery Key information. It is integrated in features since Windows Server 2008.

To install Bitlocker Recovery Key feature:

  • Go to Server Manager.
  • On Features Page select Remote Server Administration Tools.
  • Check Bitlocker Drive Encryption Administration Utility.
    • Check Bitlocker Drive Encryption Tools.
    • Bitlocker Recovery Password Viewer.

Computer Object

After the installation, just close and open Active Directory Users And Computers again.

A new tab is now available on computer object:  Bitlocker Recovery with some information:

  • Recovery Key : this key must be given to the user if needed.
  • Computer name and date
  • Password ID:  User must give you this information. (First 8 digit)

Bitlocker Recovery Key Lookup Tool

Sometime, remote user won’t know their computer name. Mostly only know information about first 8 digit code. Don’t panic, there is a solution for that too.

Options to search for 8 digit code in all computer objects:

  • Right click on your domain name.
  • Select Find Bitlocker Recovery Password.
  • Enter the first 8 digit and click Search. You will find the computer and the recovery key.

Delegation Rights

If a helpdesk team exists in enterprise, it’s possible to give them the right to display this information. However, Recovery key is a confidential information and standard users can not view it.

So delegation on some rights are needed on the targeted OU to specific group.

  • Right click on the targeted OU and select Delegate Control.
  • Add groups which need to view Recovery Key.
  • Select Create a custom task to delegate.
  • Choose Only the following object in the folder and check MSFVE-RecoveryInformation objects.
  • Give Full Control on this object.
  • Helpdesk user can now view Recovery information.


In the example above, property config permissions set to Full Control. The explanation is that the property has the confidential bit and Control_Access flag are needed to read it. Control_Access is granted if the account has Full Control in the delegation wizard.

Otherwise, it is possible to set the Control_Access flag with LDP.exe to read only.

You’re all set up now. Next time you run a git mergetool command that involves a dbml file, KDiff3 will sort the file before presenting the conflicts to you.

You may also like...