To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. In addition, to use the BitLocker Recovery Password Viewer, the following requirements must be met:
- The domain must be configured to store BitLocker recovery information.
- The computers protected by BitLocker must be joined to the domain.
- BitLocker Drive Encryption must have been enabled on the computers.
Bitlocker Recovery Password viewer for Active Directory
Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here:
The tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download and install this tool.
After you have installed it but before you actually run the tool on a DC for the first time, it is important that you run the command
The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account.
The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
To view the recovery passwords for a computer
- In Active Directory Users and Computers, locate and then click the container in which the computer is located.
- Right-click the computer object, and then click Properties.
- In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the particular computer.
To copy the recovery passwords for a computer
- Follow the steps in the previous procedure to view the BitLocker recovery passwords.
- On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then click Copy Details.
- Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
To locate a recovery password
- In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.
- In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8 characters) box, and then click Search.