Part 6 of 7 explains how to view the BitLocker Recovery Password in Active Directory, how to access TPM information and how to put BitLocker recovery information manually into Active Directory.

Now that we’ve used BitLocker to encrypt an operating system Drive, a fixed data drive, and a removable drive, we should have recovery information for all three drives in Active Directory.

View the BitLocker Recovery Password in AD

To view the information, first make sure that you’ve installed the BitLocker Recovery Password Viewer. Go into Active Directory Users & Computers and view the properties of your Computer object by double-clicking on it. Go to the BitLocker Recovery tab and you should now see the recovery keys for all of the drives encrypted on the system.

View BitLocker Recovery Key in Active Directory

BitLocker Recovery Key in Active Directory

View TPM owner information in Active Directory

If you chose to back up the TPM owner information in Active Directory, here’s how you can find it in AD. First, you’ll need to enable Advanced Features in Active Directory Users and Computers. You can do this by clicking on the View menu and clicking Advanced Features. If Advanced Features already has a check mark by it, it is enabled.

Active Directory Advanced Features

Active Directory Advanced Features

View the Computer object properties by double-clicking on the computer name. Go to the Attribute Editor and scroll down to msTPM-OwnerInformation.

View TPM Information

View TPM Information

Put BitLocker recovery information into Active Directory manually

In the event you’ve got computers that have BitLocker encrypted drives and you didn’t have your Active Directory configured yet to back up that information, you can still put that information into AD. On the system that has the BitLocker encrypted drive, in a command prompt elevated with admin rights, run the command:

manage-bde -protectors -get c: 

You should get something like this:

View BitLocker Backup Recovery Information on the command prompt

View BitLocker Backup Recovery Information on the command prompt

Notice that I’ve highlighted a section of the output. Take the ID number and run the following command:

manage-bde -protectors -adbackup c: -id {yourdrivesIDnumber}

Hopefully, you’ll see a success message:

Backup BitLocker Recovery information manually to Active Directory

Backup BitLocker Recovery information manually to Active Directory

In the event you need to do this for more than a handful of systems, there’s a great script on TechNet that will allow you to put this information into AD for Windows 7 systems.

  1. Annabel 11 years ago

    I have locked my pen drive from my windows 7 lap top and it crashed not because of this … another reason… the point is that the lap top is being repaired and am using my old lap top which has Windows XP and I can’t access the pen drive and I urgently need the info stored there… there is no option to put my password in at all… How can I access it now …?? :-)))

  2. Kyle 11 years ago

    Annabel – You may want to re-read Part 5 of the series: There should be a utility on the drive that will allow you to read the files in XP. Sorry, you’ll need Windows 7 to write to the drive.

  3. Annabel 11 years ago

    Dear Kyle,
    Thank you so much…. so simple and was right there under my nose… was looking into the wrong part.
    Thanks again

  4. ammar hasayen 10 years ago

    Nice… I have wrote script to export recovery information

  5. Vino 4 years ago


    really great article here.

    my computer is asking for bitlocker recovery key. 

    when i check the bitlocker recovery password tab in Active directory, no information is available.

    may i know some reason behind why it's not backup in my domain controller?

    thank you,


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account