How to query AD for Bitlocker details.

 

Hi all.

You must back up your BitLocker recovery key. But you can do this in your business AD. That is post, you can activate and store BitLocker recovery codes in Active Directory (AD) for easy retrieval.

However question - how can you query AD for BitLocker Details? In this post I will show you what you need to do to query AD for BitLocker details. First this post assume that you have administrator rights to access the BitLocker Recover Password details. 

How to query AD for Bitlocker details via ADUC

As I said, I know that BitLocker keys would be stored in the computer object within AD. But where? Using the MEMDP2 as my example.  I open Active Directory Users and Computers (ADUC). I located MEMDP2 and looked at its properties, at first glance, there is nothing to indicated that this computer has a BitLocker Password. And no Password Replication will not store BitLocker details but Attribute Editor might. Lets’ start there.

I know from my other research that the are several Attribute that the data is stored within and they are called:

ms-FVE-KeyPackage

ms-FVE-RecoveryGuid

ms-FVE-RecoveryInformation

ms-FVE-RecoveryPassword

ms-FVE-VolumeGuid

If BitLocker attributes missing form attribute editor you have to install the BitLocker AD module. Since we have all installed a Windows Feature. Just the high lever steps.

I’m preforming these steps on my DC. In the Features windows, select BitLocker Drive Encryption (orange arrow) this will immediately popup Add more feature window, Click Add Feature button. Complete the wizard to finish the install, don’t forget to reboot.

After the reboot I go back into ADUC and select the MEMDP2, we can see the BitLocker Recovery tab. 

How to query AD for Bitlocker details via Powershell

It great that you know how to read the BitLocker Password from ADUC but how do you do the same thing via PowerShell? Before you run the PowerShell command below make sure that you import the AD module. You do that by executing Import-module ActiveDirectory, you will only need to do this once on a computer.

$Computer = ‘memdp2’

$DN = Get-ADComputer $Computer | Select-Object -ExpandProperty DistinguishedName

$ADobj = Get-ADobject -Filter {objectclass -eq ‘msFVE-RecoveryInformation’} -SearchBase $DN -Properties ‘msFVE-RecoveryPassword’ | Select-Object Name,msFVE-RecoveryPassword

$ADobj

The above PowerShell command will query AD for the Recovery Passwords that a computer has.

Again, you can see all of the recover passwords for my same computer.

If you are NOT seeing any passwords when you run the PowerShell command, make sure that you have run PowerShell elevated.

Good luck.