Q: How can I easily retrieve BitLocker recovery passwords from Active Directory?
A: The Windows BitLocker Drive Encryption Recovery Password Viewer provides an easy solution for retrieving and viewing BitLocker recovery passwords that were backed up to Active Directory (AD). It's an optional feature that's included with the Remote Server Administration Toolkit (RSAT), which you can install by using the Add Roles and Features option in the Windows Server 2008 R2 and Windows Server 2012 Server Manager or from the Programs and Features option in Control Panel.
Related: BitLocker Changes in Windows 8
The tool provides extensions to the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and the Active Directory Administrative Center. When the extensions are installed, you can use the new BitLocker Recovery tab in an AD computer object's Properties dialog box to view the BitLocker recovery passwords that are linked to that computer's BitLocker-protected volumes.
Additionally, you can right-click the domain container in Active Directory Users and Computers and search for a specific BitLocker recovery password across the domain. To do so, in the Find BitLocker recovery password dialog box, which Figure 1 shows, type the first eight characters of the recovery password in the Password ID box, then click Search. Windows displays the first eight characters of the recovery password after the user or help desk operator reboots a client machine in recovery mode.
To view the recovery passwords in AD, you must be a domain administrator or you must have been delegated permissions by a domain administrator. The following conditions must also be met: The domain must be configured to store BitLocker recovery information (see "Storing BitLocker recovery information in AD DS" in the Microsoft article "Backing Up BitLocker and TPM Recovery Information to AD DS" for more information about how to do this), and the BitLocker-protected computers obviously need to be joined to the domain.