If the user only has a "Password ID," Alex right-clicks the entire and selects Find BitLocker Recovery Password to search the whole forest.
When prompted, Alex ensured the (found under Remote Server Administration Tools > Feature Administration Tools) was included.
How to Enable BitLocker Recovery Password Viewer in Active Directory If the user only has a "Password ID,"
Note: If you want to delegate this for the whole domain, run the delegation on the root of the domain or the "Computers" OU.
He pulled up an old KB article from 2015, the kind with yellow syntax highlighting and no images. The fix was brutal but clean: extend the schema using the BitLockerADBackup.wsf script from the Windows Server installation media. But he didn’t have the media. He had a half-dead laptop, a Red Bull, and a VP screaming into voicemail. He pulled up an old KB article from
To allow a specific group (e.g., "Help Desk" or "Domain Admins") to view keys:
By default, Windows Server does not include a tool to view the BitLocker recovery keys stored in AD DS. You must install a specific Feature, extend the permissions, and then locate the keys within the Active Directory Users and Computers (ADUC) console. He had a half-dead laptop, a Red Bull,
Get-ADObject -Filter ObjectClass -eq "msFVE-RecoveryInformation" -SearchBase "DC=contoso,DC=com"
But it was empty. A ghost field. The backup job had been failing for months. No one noticed because no one had needed a recovery password since the last auditor left.
cscript BitLockerADBackup.wsf /schema