How To Get BitLocker Recovery Passwords from Active Directory Using PowerShell (With “Whole-OU-to-CSV’ Script Included)

6 min readMay 17, 2024

Recently we had an automated site-wide BIOS update effort and some home users ended up in an edge scenario where BitLocker suspension did not occur prior to the BIOS update scheduling. This meant that the BIOS update will execute and trigger BitLocker recovery prompt, so next reboot brought a nice blue BitLocker recovery screen, locking users out of their computers asking for a BitLocker password.

If this was only affecting a few users, accessing this information via the graphical interface of the Active Directory Users and Computers (ADUC) console in a properly configured environment would suffice. However, when numbers keep growing with the increasing necessity to support them during off-hours where access to a laptop with installed RSAT might not be possible, exporting this information to a mobile-friendly textual format quickly becomes essential.

Today, we’ll explore how to export BitLocker passwords using PowerShell and by the end, you’ll have a ready-to-use PowerShell script that enables you to export entire Organizational Units (OUs) into a practical csv file.

Note: It’s advisable to save this piece to your reading list, as you may not come across it again.

For Those In A Hurry

PowerShell step-by-step approach with examples.
Ready-to-use whole-OU-to-CSV PowerShell script for scraping BitLocker passwords from AD.

What The Heck Is BitLocker?

BitLocker is a built-in encryption feature of the Windows which keeps user’s data safe by encrypting the entire drive. Once enabled, it ensures that unauthorized access to user’s device would be blocked without providing the recovery key.

Thing is, unauthoriuzed access could mean changes in hardware, BIOS settings and updates, changes in the boot configuration or environment, etc. All of those could lock the user out of the computer, so it’s essential to have recovery keys properly storaged.

When it comes to saving BitLocker recovery information, there are few options like saving to a folder, USB device, Microsoft Account or Active Directory and in this case, we are discussing actions with those saved to AD computer objects. When planning implementation of BitLocker, these things should be carefully considered and the documentation here will be a good starting point.

Getting BitLocker Passwords From Active Directory With Powershell

BitLocker recovery information is stored inside the Computer object in Active Directory, but it won’t be part of the default object properties, so revealing it with Get-ADComputer will not help. What we need is to access the ms-FVE-RecoveryInformation class to reveal its ms-FVE-RecoveryPassword attribute.

First, fire up your PowerShell as an administrator and make sure you have the ActiveDirectory PowerShell module installed and imported.

Import-module ActiveDirectory

Fetch The Computer Object

We need to retrieve the computer object from the Active Directory so that its DistinguishedName property can later be used to retrieve the password data.

We’ll extract the DistinguishedName on the same line and store it in a variable so that we have it readily available as a text string

$ComputerDname = $(Get-AdComputer hroslp17).DistinguishedName

Screenshot of an AD computer object loaded in PowerShell showing its DistinguishedName attribute.

Fetch msFVE-RecoveryInformation Object

Now we will retrieve the AD object filtered to contain the msFVE-RecoveryInformation class, which will, among other attributes, have the BitLocker recovery password.

When fetching it, we’ll include the SearchBase parameter to target our computer’s object using its DistinguishedName we saved before. Otherwise, the command would return objects for the entire domain, which you probably don’t want.

For the sake of exploration, we are specifying the Properties parameter to include every attribute and saving it to a variable so that we can inspect the attributes it holds.

$RecoveryObj=Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $ComputerDname -Properties *

Looking at the properties and methods of this class instance, we notice many useful pieces of information that you could use in a script. Two we’ll use are:

msFVE-RecoveryPassword, which contains the BitLocker password.
whenCreated, which contains the date of creation.

Screenshot of an AD msFVE-RecoveryInformation object in PowerShell showing its metods and attributes.

Extract The BitLocker Recovery Password

Now that our $RecoveryObj variable holds all recovery data related to our computer, we can simply print it using dot notation and the attribute name to access the attribute value.

$RecoveryObj.'msFVE-RecoveryPassword'

Screenshot of an msFVE-RecoveryInformation object in Powershell showing its msFVE-RecoveryPassword attribute value.

Please note that single quotes are used to escape the dash (-) character.

A Lengthy One-liner

We can further condense this to one line, sacrificing a bit of readability.

Since all previous recovery passwords are kept inside the recovery object, we are adding an additional property called whenCreated and sorting them using it to ensure we fetch the newest one.

$(Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $(Get-AdComputer hroslp17).DistinguishedName -Properties 'msFVE-RecoveryPassword',whencreated | sort whenCreated).'msFVE-RecoveryPassword'

Screenshot of a Powershell one-line script extracting the BitLocker recovery password from Active Directory.

Whole-OU-to-CSV BitLocker Passwords Scraper PowerShell Script

For a complete solution to export recovery information for multiple computers at once, refer to the script below.

To use it:

Configure the computers variable with the correct Active Directory OU.
Configure the csvPath variable with the absolute path to the CSV file where you want to save the exported list.
Execute the script in elevated PowerShell (run as administrator).

The result will be a two-column CSV file containing HostName and RecoveryPassword.

# Set the AD target OU
$computers = Get-ADComputer -Filter * -SearchBase "OU=your-ou,OU=your-out,DC=your-domain,DC=local"
# Set the absolute path to the output CSV file
$csvPath = "C:\bitlocker-list.csv"
# Declare an output array to store data
$output = @()
# Declare CSV headers
$output += "HostName, RecoveryPassword"

# Loop over computers, check if BitLocker is stored
foreach ($computer in $computers) {
 # Fetch the msFVE-RecoverInfo object and sort by creation date to make sure the latest key is fetched
 $fetch = $(Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword',whencreated | Sort-Object WhenCreated -Descending).'msFVE-RecoveryPassword'
 # If blank, write "BitLocker not active" to the data object.
 if (-Not $fetch) {
  $output += ($computer.Name,"BitLocker not active") -join ","
 }
 # If more than one key, fetch the first (will be the newest). 
 elseif ($fetch.Count -gt 1) {
  $output += ($computer.Name, $fetch[0]) -join ","
 }
 # If single key, fetch it.
 else {
  $output += ($computer.Name, $fetch) -join ","
 }
}

# Export output to CSV
$output | Out-File -FilePath $csvPath

Supporting users locked out of their workstations is never easy, especially when the hard-to-acquire 48-digit numerical passwords are the only way to regain access.

Hopefully, this one will help you sort things out quickly.

Author’s Note

You made it to this point! Well, kudos to you my friend — either I’m a decent writer or you’re an excellent reader. Let’s go with the latter😅.

I’m Danilo, a seasoned IT Service Delivery engineer navigating the corporate chaos. I write about scripting, sysadmin stuff, and topics that are poorly documented elsewhere, with the aim of sharing knowledge and improving my writing skills.

Clap hands and leave feedback if you can.