BitLocker recovery passwords (and key packages) are stored in as attributes of the computer object that has BitLocker enabled.
Keys are not stored in Active Directory by default. For this process to work, several conditions must be met: Schema Requirements where are bitlocker keys stored in ad
Bitlocker keys stored in AD are not 'secure' because they are not encrypted. This sentence is not come from Microsoft official doc... Microsoft Learn How do I configure Active Directory to store BitLocker recovery ... Right click on the GPO and select "Edit" 4. Navigate to Computer Configuration->Policies->Administrative Templates->Windows Compon... University of Illinois System BitLocker recovery overview - Microsoft Learn Jul 29, 2025 — BitLocker recovery passwords (and key packages) are stored
| Item | Location in AD | |------|----------------| | Recovery password | msFVE-RecoveryPassword on computer object | | Recovery GUID | msFVE-RecoveryGuid | | Key package | msFVE-KeyPackage | | Parent object | Computer object (class: computer ) | | Storage object class | msFVE-RecoveryInformation | This sentence is not come from Microsoft official doc
Specifically, they are stored in:
Within the msFVE-RecoveryInformation object, the actual data is stored in specific attributes: