Active Directory

How to Get All BitLocker-Enabled Computers in Active Directory

BitLocker is one of the defenses that protects data even after a device is lost or stolen, but only if encryption is enabled. In many workplaces, computers can lose this protection due to setup mistakes or missing recovery keys. Without clear visibility into BitLocker status, these gaps can put sensitive data at risk. This guide shows how to check the BitLocker status of devices in Active Directory to identify unprotected devices and keep your organization’s data secure.

List All BitLocker-Enabled Computers in Active Directory Using PowerShell

Active Directory Permission Required

Domain Admins Least Privilege

Enterprise Admins Most Privilege

Open PowerShell and import the Active Directory module using the following cmdlet.
Windows PowerShell
```
 Import-Module ActiveDirectory
```
Next, run the following PowerShell script to retrieve the BitLocker status of all computers in your Active Directory environment.

Windows PowerShell

 $results = Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion, DNSHostName, Enabled |
ForEach-Object {
    $recovery = Get-ADObject -LDAPFilter "(objectClass=msFVE-RecoveryInformation)" -SearchBase $_.DistinguishedName -ErrorAction SilentlyContinue
    if ($recovery) {
        $machineType = if ($_.OperatingSystem -match "Server") { "Server" } else { "Workstation" }
        [PSCustomObject]@{
            ComputerName          = $_.Name
            DNSHostName           = $_.DNSHostName
            OperatingSystem       = $_.OperatingSystem
            OSVersion             = $_.OperatingSystemVersion
            MachineType           = $machineType
            Enabled               = $_.Enabled
            RecoveryKeyStoredInAD = "Yes"
        }
    }
}
$results | Format-Table -AutoSize

This cmdlet helps to check whether the BitLocker recovery key is backed up in Active Directory for each computer.

List All BitLocker-Enabled Computers in Active Directory Using PowerShell

Simple & Quick
Export a List of BitLocker-Enabled Computers in AD Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the BitLocker Enabled Computers report under AD Reports»Computer Reports»BitLocker Enabled Computer.
This report displays all computers with BitLocker enabled in Active Directory, along with other details like OS information, machine type, computer status, and more.
You can export the report in multiple formats such as PDF, XLS, CSV, and more, using the Download option (⤓) available at the top.

Export a List of BitLocker-Enabled Computers in AD Using AdminDroid

AdminDroid Active Directory Reporter

Prioritize BitLocker Encryption Across the Domain by Easily Identifying Unprotected Systems

AdminDroid’s Active Directory reporting tool gives you compliance visibility into BitLocker encryption across all domain-joined computers, along with their recovery key availability. This helps you quickly identify missing recovery keys and strengthen data security across your organization.

Instantly Find BitLocker Recovery Keys for Faster Troubleshooting

Leverage the BitLocker recovery keys overview report to find recovery keys for computers to unlock encrypted drives if users forget their passwords or devices become inaccessible.

Remediate BitLocker-Disabled Devices to Prevent Data Exposure

Identify the BitLocker disabled computers to review security risks and decide whether to enable encryption, upgrade the device, or decommission it to prevent data exposure.

Verify BitLocker Status from the Active Directory Computers Dashboard

Utilize the unified computers dashboard to view both the number and percentage of devices with BitLocker enabled at a glance, along with other device details.

Safeguard Newly Added Devices with BitLocker Encryption

Review recently created computers to ensure their drives are encrypted with BitLocker and detect potential gaps in security during onboarding.

Eliminate Security Weak Points from Outdated OS Devices

Filter the older OS versions report to identify devices with BitLocker disabled and evaluate whether they should be upgraded or retired to reduce security risks.

Ensure Organization-Wide BitLocker Protection

Centralize BitLocker visibility for all Active Directory computers in a single place, using customizable columns to quickly see which devices have encryption enabled.

Overall, AdminDroid enables proactive device data protection in Active Directory by delivering comprehensive BitLocker insights. Additionally, the platform’s integrated management and monitoring features simplify day-to-day Active Directory administration.

Explore a full range of reporting options

Download Live Demo

Important tips

Use the Delegation Wizard to grant help desk staff access to BitLocker recovery keys without assigning privileged roles, ensuring they can assist users after hardware changes.

Turn on the setting 'Do not enable BitLocker until recovery information is stored in AD DS' in the GPO policy relevant to the drive type so users cannot enable BitLocker unless the recovery key is saved in AD.

Use 256-bit encryption on high-performance hardware and 128-bit encryption on lower-performance devices to balance security and performance impact.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when retrieving the BitLocker status of all computers in Active Directory.

Error Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.

This error occurs when the Active Directory PowerShell module is not installed or RSAT AD tools are missing on the machine.

Fix Use the following cmdlet to install the Active Directory module, then run the command again.

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Error Remove-ADObject : Cannot find an object with identity: '<DistinguishedNameWithKey>'.

This error occurs when the Distinguished Name is incorrect, or the object has already been deleted.

Fix Verify that the Distinguished Name is correct and the object still exists in Active Directory, then run the cmdlet again. Replace the <RecoveryKey> with the actual recovery key before execution.

Remove-ADObject -Identity "<RecoveryKey>" -Confirm:$true

Error Get-ADObject : Directory object not found

This error occurs when the Distinguished Name (DN) provided in the -SearchBase parameter is incorrect or does not point to a valid computer object in Active Directory.

Fix Verify the computer’s location and ensure that the Distinguished Name (DN) is correct and exists in Active Directory.

Active Directory

Frequently Asked Questions

Effortlessly Set Up and Manage BitLocker in Active Directory

How to configure Active Directory to store BitLocker recovery keys using group policy?

How to enable Bitlocker on a computer drive?

How to find the BitLocker recovery key for a computer in Active Directory?

How to back up the existing BitLocker Keys in Active Directory?

How to remove the old BitLocker keys in Active Directory?

What are the best practices after enabling BitLocker?

1. How to configure Active Directory to store BitLocker recovery keys using group policy?

BitLocker encryption protects data by securing the contents of the drive. However, storing recovery keys in Active Directory ensures encrypted drives can be securely recovered when devices are lost, damaged, or users forget their credentials. Group Policy provides a centralized way to enforce recovery key backup across all domain-joined computers.

Follow the steps below to configure BitLocker recovery key backup to your Active Directory environment. After configuring this policy, BitLocker recovery keys are automatically stored in AD for newly configured drives only.

Store BitLocker recovery information in Active Directory via GPO

Open Server Manager and navigate to Tools»Group Policy Management. Alternatively, you can open the console by running (gpmc.msc) from the “Run” dialog.
From the left pane, expand Domains, right-click on the domain or any desired OU, and select Create a GPO in this domain, and Link it here.
Enter a descriptive name for the GPO under the Name section in the New GPO window, click OK. Then, right click on the created GPO and select Edit.
Navigate to Computer Configuration»Policies»Administrative Templates»Windows Components»BitLocker Drive Encryption.
Right-click Store Bitlocker Recovery information in Active Directory Domain Services, select Edit, and choose the Enabled radio button.
Ensure Require BitLocker backup to AD DS is enabled.
Under Select BitLocker recovery information to store, choose Recovery passwords and key packages from the dropdown.
Then, select Apply and click OK to update and save the configuration.
Alternatively, navigate to Fixed Data Drives, Operating System Drives, or Removable Data Drives in BitLocker Drive Encryption and configure the settings based on your requirements.
Then, run “gpupdate /force” in PowerShell to immediately apply the changes.

create-and-edit-a-gpo-in-active-directory

2. How to enable Bitlocker on a computer drive?

BitLocker protects data through drive encryption and prevents unauthorized access when a company device is lost or stolen. This reduces compliance gaps and physical attack risk. On some Windows 10 and later devices, BitLocker can be automatically enabled when the hardware meets requirements (such as TPM support) and the device is signed in using a Microsoft account.

However, in some environments, it may be disabled or not configured by default. Follow the below steps to enable BitLocker on Active Directory computers. Before proceeding, ensure that you have local administrator or domain administrator privileges.

Configure BitLocker on computer drives

To configure BitLocker on PCs, sign-in to the respective computer as an admin. Then follow the steps below to enable the BitLocker in client PC.

Open Control Panel and navigate to System and Security»BitLocker Drive Encryption.
Select Turn on Bitlocker under the respective drive to configure BitLocker for that drive.
Choose an authentication method for BitLocker, such as a password or smart card, and click Next.
Then, select the preferred method to save the recovery key, and click Next.
Finally, select Start encrypting to encrypt the selected drive.

enable-bitlocker-in-devices-via-control-panel

Note: The recovery key is backed up to AD DS only if the appropriate Group Policy is enabled in advance. You may also save a copy elsewhere if needed.

3. How to find the BitLocker recovery key for a computer in Active Directory?

Enabling the policy to store BitLocker recovery information in Active Directory using Group Policy ensures that recovery keys are automatically backed up to the domain. However, by default, BitLocker recovery information is not visible in domain controllers unless the 'BitLocker Recovery Password Viewer' feature is enabled.

Without enabling this feature, the BitLocker Recovery tab will not be visible in ADUC, and the recovery objects (msFVE-RecoveryInformation) cannot be retrieved using PowerShell. Therefore, this feature should be enabled in advance to ensure that recovery keys can be quickly accessed during emergency situations.

Enable BitLocker recovery password viewer in a Active Directory domain controller

Follow the steps in Server Manager to enable the BitLocker Recovery tab in ADUC and allow BitLocker recovery information to be retrieved.

Open Server Manager and select “Add roles and features”.
Click Next until you reach the Select Features page and enable Remote Server Administration Tools.
Expand Remote Server Administration Tools»Feature Administration Tools»BitLocker Drive Encryption Administration Utilities.
Enable the BitLocker Recovery Password Viewer option and click Next.
Then, select “Restart the destination server automatically if required” checkbox, and click Yes on the Add Roles and Features wizard prompt.
Finally, click Install to begin the feature installation and allow the server to restart automatically.

confirm-installation-for-roles-in-active-directory

Get BitLocker Recovery Key from Active Directory

Follow the steps below to view the BitLocker recovery key in Active Directory.

Open Server Manager and navigate to Tools»Active Directory Users and Computers.
Browse to the OU where the target computer object is located and right-click on the desired computer.
Select Properties and navigate to the BitLocker Recovery tab to view all the recovery keys for the device.

Alternatively, you can use the following PowerShell cmdlet to view the recovery keys of the device. Replace <ComputerDistinguishedName> with the distinguished name of the target workstation.

Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"'-SearchBase "<ComputerDistinguishedName>" -Properties msFVE-RecoveryPassword, whenCreated | Select-Object Name, DistinguishedName, msFVE-RecoveryPassword, whenCreated | Format-Table -AutoSize

4. How to back up the existing BitLocker Keys in Active Directory?

BitLocker does not store recovery keys in Active Directory unless the required policy is configured. This means devices encrypted earlier may not have their recovery keys saved in AD DS. As a result, the key might exist only on the local machine, increasing the risk of data loss during recovery situations. Backing up old BitLocker keys to Active Directory ensures centralized management, better security, and smooth recovery when needed.

Note: This method can also be used to re-back up BitLocker recovery keys to Active Directory if the existing backup was deleted for any reason.

Backup BitLocker recovery key in Active Directory using PowerShell

Follow the below steps to easily backup the BitLocker key using the following cmdlets.

Open PowerShell with admin privileges (elevated) and run the following cmdlet to get the key protector ID of the drive. Replace the <DriveLetter> with the specified drive to get the backup key of the specified drive.
```
(Get-BitLockerVolume -MountPoint "<DriveLetter>:").KeyProtector
```

backup-bitlocker-recovery-keys-to-ad-via-powershell

Next, run the following cmdlet to backup the selected key in Active Directory. Replace <ID> with the recovery password ID (where KeyProtectorType is RecoveryPassword) and ensure <DriveLetter> matches the drive used in the previous step.
```
Backup-BitLockerKeyProtector -MountPoint "<DriveLetter>:" -KeyProtectorId "{<ID>}" | Format-Table -Autosize
```

Store BitLocker keys to Active Directory using Command Prompt

Alternatively, you can also backup the BitLocker Key using the Command Prompt.

Run Command Prompt with admin privileges (elevated) and enter the following command to know the ID of the selected drive. Replace the <DriveLetter> with desired drive to get the ID of the drive in Active Directory.
```
manage-bde -protectors -get "<DriveLetter>:" 
```
Next, run the following command to back up the recovery key to the ADDS. Replace the <ID> with the 'Numerical Password ID' and ensure the <DriveLetter> is same as for the drive used to get the BitLocker key.
```
manage-bde -protectors -adbackup "<DriveLetter>:" -id "{<ID>}"
```

5. How to remove the old BitLocker keys in Active Directory?

Over time, Active Directory can collect too many BitLocker keys for the same computer. This happens when a device is set up again or re-encrypted. Because the old keys are never deleted in AD after the backup, it becomes difficult to find the right one when a user is locked out, hardware changes, or multiple BitLocker configuration changes.

When too many BitLocker recovery keys are present, it creates a confusing recovery experience, often after hardware changes, OS reinstallation, or similar events. In such cases, you can use the steps below to remove outdated recovery keys from computers in Active Directory.

Note: It is not recommended to delete recovery keys that are stored unless they are confirmed to be no longer needed.

Remove a BitLocker recovery key for a device using PowerShell

In an elevated PowerShell session, run the following command to retrieve the recovery keys linked to the specified computer, including their creation dates. Replace <ComputerDistinguishedName> with the distinguished name of the target workstation.

Get-ADObject -Filter 'objectClass -eq "msFVE-RecoveryInformation"'-SearchBase "<ComputerDistinguishedName>" -Properties msFVE-RecoveryPassword, whenCreated | Select-Object Name, DistinguishedName, msFVE-RecoveryPassword, whenCreated | Format-Table -AutoSize

Select the correct key by matching the creation date and replace <RecoveryKey> in the cmdlet below with the Distinguished Name of the appropriate recovery key.
```
Remove-ADObject -Identity "<RecoveryKey>" -Confirm:$true
```
Next, click “Y” to confirm the action to remove the BitLocker recovery key for the specified computer.

Note: Formatting a BitLocker-encrypted drive removes BitLocker protection, but it does not delete the recovery key stored in Active Directory. If BitLocker is enabled again, a new recovery key is backed up to Active Directory.

Delete all BitLocker recovery keys for a device in Active Directory

When multiple old recovery keys from the same computer make it difficult to identify the current key, admins can delete all existing keys and back up the current recovery key from the client machine. In such scenarios, you can use the following method to clear the existing records.

Open PowerShell with admin privileges and run the following cmdlet to remove all the existing BitLocker keys for a computer in Active Directory. Replace <DistinguishedName> with the actual distinguished name of the computer.
```
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} -SearchBase (Get-ADComputer "<DistinguishedName>").DistinguishedName | Remove-ADObject -Confirm:$true
```
Then, confirm the prompt by selecting "A" to remove all the BitLocker recovery keys for the device.

6. What are the best practices after enabling BitLocker?

BitLocker provides strong protection, but its effectiveness depends on maintaining proper conditions after encryption is enabled. Certain requirements must remain intact to keep devices stable, secure, and free from unexpected access issues. In some cases, these safeguards can also help prevent significant security incidents by ensuring encryption remains reliable.

Here are some best practices to follow after enabling BitLocker.

Keep the startup boot order unchanged. Booting from a USB drive or another device can modify system measurements and cause BitLocker to enter recovery mode.
Verify that BitLocker protection is turned back on after any BIOS, firmware, or hardware update where it was previously suspended.
Use stronger authentication such as a PIN (numerical pin) or enhanced PIN on older or high-risk devices. This added layer of protection helps prevent physical or brute-force attacks that TPM-only security may not withstand.
Configure BitLocker on operating system drives only for computers with Trusted Platform Module (TPM) version 1.2 or higher to ensure secure key storage and reliable platform integrity.
Always backup your BitLocker recovery key, or you might lose access to your data if your system can't boot.
Enable recovery password rotation on OS and fixed drives so it can update the recovery key when needed. This lets Entra-joined and hybrid-joined devices automatically get a new key each time the previous one is used.
TPM does not disable automatically during normal use, but make sure it remains enabled after any BIOS/UEFI or boot configuration changes. If it is cleared or turned off, BitLocker will ask for the recovery key to unlock the drive.