Portable — Bitlocker Recovery Key Active Directory

AD allows granular delegation. You can grant the Help Desk "Read" access to recovery keys without giving them domain admin privileges. Standard users cannot view their own recovery keys, and auditors can track who accessed which key via native AD logs.

Locate the specific computer object, right-click it, and select . bitlocker recovery key active directory

If computers are encrypting but AD shows no keys: AD allows granular delegation

Get-ADObject -Filter objectClass -eq "msFVE-RecoveryInformation" -SearchBase "CN=Laptop-001,OU=Computers,DC=Contoso,DC=com" -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword bitlocker recovery key active directory

Unlike consumer storage (Microsoft Account), AD escrow works with all BitLocker authenticators: TPM-only, TPM+PIN, TPM+USB, or password protectors. The recovery password is always escrowed regardless of the unlock method.