In enterprise environments, losing access to a BitLocker-protected drive can bring productivity to a halt. Fortunately, when BitLocker is configured to store recovery information in Active Directory (AD), IT administrators can retrieve the 48-digit recovery password without needing physical access to the machine.
Get-ADComputer -Identity "WS-00123" -Properties msFVE-RecoveryInformation | Select-Object -ExpandProperty msFVE-RecoveryInformation | ForEach-Object $RecoveryString = [System.Text.Encoding]::Unicode.GetString($_) Write-Host "Recovery GUID: $($RecoveryString.Substring(0,36))" Write-Host "48-Digit Key: $($RecoveryString.Substring(36))`n" view bitlocker recovery key in ad
Open an console with AD module loaded:
To output only the 48-digit password and its GUID in a cleaner format: In enterprise environments
# Import the Active Directory module Import-Module ActiveDirectory $ComputerName = "WS-00123" Get the computer object $Computer = Get-ADComputer -Identity $ComputerName -Properties msFVE-RecoveryInformation Retrieve all recovery keys for that computer $Computer.msFVE-RecoveryInformation | ForEach-Object $RecoveryBlob = [System.Text.Encoding]::ASCII.GetString($_) # Parse the blob (contains GUID and recovery password) Write-Output $RecoveryBlob view bitlocker recovery key in ad
