Home ยป PowerShell ยป PowerShell Get AdComputer BitLocker Key

PowerShell Get AdComputer BitLocker Key

The Get-AdComputer command in PowerShell is used to get the active directory computers. It uses the class msFVE-RecoveryInformation that contains the Full Volume encryption password and uses the attribute msFVE-RecoveryPassword to get the adcomputer BitLocker key.

ms-FVE-RecoveryPassword attribute stores the password that is required to recover Full Volumne encryption volume.

In this article, we will discuss how to get adcomputer BitLocker recovery key from ad using PowerShell.

Get ADComputer BitLocker Recovery Key and Name

Use the Get-AdComputer cmdlet in PowerShell to retrieve the computers in Active Directory and pass the computer information to the class msFVE-RecoveryInformation to get the recovery key.

# Get the adcomputer
$comp = Get-ADComputer ENGG-PRO

# Get the distinguished name of the computer
$dn = $comp.DistinguishedName

# Create LDAP path
$ldPath = "AD:\",$dn -join ""

# get object that contains Full Volume encryption password
$ldObj = Get-ChildItem $ldPath | where {$_.objectClass -eq "msFVE-RecoveryInformation"}

# Create LDAP path
$ldObj = "AD:\",$ldObj.distinguishedName -join ""

# Use the attribute msFVE-RecoveryPassword
$pass = Get-Item $ldObj -properties "msFVE-RecoveryPassword"

# Get the bitlocker recovery for adcomputer
$recoveryPassword = $pass.'msFVE-RecoveryPassword'

# Get the computer name
$computerName = $comp.Name

In the above PowerShell script, the Get-AdComputer cmdlet retrieves the computer details from the active directory. Using the class msFVE-RecoveryInformation, it gets an object that stores the Full Volume encryption password.

The msFVE-RecoveryPassword attribute is used to get the BitLocker key for the computer in the active directory (AD) and the computer name using $comp.name.

The output of the above PowerShell script results in getting the adcomputer bitlocker key and computer name.


I hope the above article on how to get adcomputer bitlocker recovery key and its name using the Get-AdComputer cmdlet in PowerShell is helpful to you.

Get-AdComputer -Filter * retrieves all the computers in the active directory. If the active directory size is huge, it may result in a timeout issue. Hence use the SearchBase parameter to limit the search of computers within the OU.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.