In this blog I will show you how to get BitLocker Recovery Password from Active Directory. This information can be viewer either through ADSI Edit or through Password Recovery Viewer.
2 ways to view BitLocker Recovery password
There are 2 ways to view BitLocker Recovery Password. Through ADSI Edit and another one is through feature installed BitLocker Recovery Password Viewer.
Get Recovery Password through ADSI Edit
First one is using ADSI Edit where information is stored under class msFVE-RecoveryInformation. I won’t say it’s the easiest way to use this feature, however I would say a convenient way if you don’t want to get any feature installed on server.
Login to Domain controller. Through Windows + R cmd , open ADSI Edit, navigate to the location of the system you are looking to recover Password Info.
In my case, navigated to ADSI Edit > Default naming context > OU=Client > CN=VM00155D004C27, where VM00155D004C27 is hostname of the system.
Once selected, under right Pane you will see serviceconnectionpoint class along with msFVE-Recoveryinformation class with atleast 1 value, in my case I have 2 values as I encrypted the disk twice, hence 2 recovery passwords are presents. However, confusion can be avoid regarding which is the latest one by looking into the latest time stamp for Name column.
Double click the last object on right pane.
This will open Attribute Editor for the object selected. To have a nice and tidy view click on Filter > Show only attributes that have values.
Now you will see few attributes along with the attribute we are looking for ie. msFVE-RecoveryPassword. Double click it, and this the information we were looking for.
Get Recovery Password through Password viewer feature
The above mentioned is not too easy and convenient. The one which I am going to demonstrate you is the most flexible way which allows searching as well.
Login to Domain controller, launch Server Manager. Under Server Manager- Dashboard, click on Manage > Add Roles and Features.
Click Next several times to reach the page Select Features, under Features select BitLocker Drive Encryption. This will automatically add other role services and features such as:
Remote Server Administration Tools
Feature Administration Tools
BitLocker Drive Encryption Administration Utilities
BitLocker Recovery Password Viewer
BitLocker Drive Encryption Tools
Click on Add Features.
Click Next to proceed.
Select Restart the destination server automatically if required, as this feature requires a restart.
This will initiate the installation process, allow some time to complete which will go through automatically restarting of the server.
Verify BitLocker Recovery Password from AD
Launch Active Directory Users and Computers (dsa.msc), find the computer VM00155D004C27, once found double click it to see it properties.
And you will notice new tab showing with the name BitLocker Recovery which was missing previously.
You will be able to see Recovery Password under Details section along with date when it got generated and Password ID.
Find BitLocker Recovery Password if hostname is unknown
This is the scenario where user says he/she is not able to login, rather they see BitLocker Recovery screen asking for “Enter the recovery key for this drive”. User might be able to provide you the hostname as they might be aware of the name and not too technical.
In this case, ask user to provide Recovery Key ID, ask user to provide first 8 characters of Recovery Key ID, in this case it is 98D33BF9.
Navigate to Active Directory Users and Computers, right click Domain and select Find BitLocker Recovery password to open search page.
Provide Password ID as first 8 characters of Recovery Key ID, and click on Search.
And you are ready with Recovery Password which can be provided to user to login to the system.