manage-bde -protectors -adbackup c: -id existing-protector-GUID Or, back up all protectors for C: drive:
# Import the required module Import-Module BitLocker Get-BitLockerRecoveryKey -MountPoint "C:" -ComputerName "PC-USER01" get bitlocker recovery key from ad
# Load AD module Import-Module ActiveDirectory Get-ADObject -Filter objectClass -eq 'msFVE-RecoveryInformation' -SearchBase "CN=ComputerName,OU=Workstations,DC=contoso,DC=com" -Properties msFVE-RecoveryPassword, msFVE-RecoveryGuid Alternatively, search by recovery password ID (GUID) Get-ADObject -Filter msFVE-RecoveryGuid -eq "GUID-HERE" -Properties msFVE-RecoveryPassword Option B: Using ActiveDirectory Module to Search by Computer $computerName = "WS-10234" $computer = Get-ADComputer $computerName $recoveryInfo = Get-ADObject -Filter objectClass -eq 'msFVE-RecoveryInformation' -SearchBase $computer.DistinguishedName -Properties msFVE-RecoveryPassword, msFVE-RecoveryGuid $recoveryInfo | Select-Object Name, @N="RecoveryPassword";E=$ .msFVE-RecoveryPassword, @N="PasswordID";E=$ .msFVE-RecoveryGuid Method 3: Using manage-bde (Local or Remote via PSExec) If you are on the local computer or can access it remotely, you can query AD via manage-bde. But the more direct AD query uses the
# On the BitLocker-protected machine, retrieve the recovery key protector's ID manage-bde -protectors -get c: manage-bde -protectors -adbackup c: -id GUID-from-protector-list DC=com" -Properties msFVE-RecoveryPassword
Introduction When BitLocker Drive Encryption is deployed in a managed enterprise environment, Group Policy can be configured to automatically store the recovery password (and key package) in Active Directory. This is a critical disaster recovery measure: if a user forgets their PIN, loses their smart card, experiences a TPM malfunction, or moves a drive to another computer, the recovery key is required to unlock the encrypted volume.
But the more direct AD query uses the ActiveDirectory module: