BitLocker Recovery Password Viewer for Active Directory

Applies To: Windows 7, Windows Server 2008 R2

The BitLocker Recovery Password Viewer helps to locate BitLocker Drive Encryption recovery passwords for computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008 in Active Directory Domain Services (AD DS). This tool is now part of Remote Server Administration Tools (RSAT) for Windows 7.

This tool lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest.

RSAT for Windows 7 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003, from a remote computer that is running Windows 7. This feature is comparable in functionality to the Windows Server 2003 Administrative Tools Pack and RSAT for Windows Vista with Service Pack 1 (SP1).

For more information about RSAT for Windows 7, see Remote Server Administration Tools for Windows 7 in the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=167131).

Usage requirements

To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. In addition, to use the BitLocker Recovery Password Viewer, the following requirements must be met:

  • The domain must be configured to store BitLocker recovery information.

  • The computers protected by BitLocker must be joined to the domain.

  • BitLocker Drive Encryption must have been enabled on the computers.

Important

Before this tool will work within a domain, a member of the Enterprise Admins group must install and register the BdeAducExt.dll in AD DS. Server Manager in Server 2008 R2 attempts to do this registration automatically when the tool is first installed, but if it is being installed under an account that does not have permission to register .dlls with AD DS an error is presented at the end of the feature installation advising the user to have the enterprise admin run “regsvr32.exe BdeAducExt.dll”.If the installation is done using RSAT instead of Server Manager and the tool hasn’t previously been registered in AD DS a member of the Enterprise Admins group is required to run “regsvr32.exe BdeAducExt.dll” to register the DLL before the tool can be used as RSAT does not automatically register the DLL.

Common tasks

The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.

To view the recovery passwords for a computer

  1. In Active Directory Users and Computers, locate and then click the container in which the computer is located.

  2. Right-click the computer object, and then click Properties.

  3. In the Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the particular computer.

To copy the recovery passwords for a computer

  1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.

  2. On the BitLocker Recovery tab of the Properties dialog box, right-click the BitLocker recovery password that you want to copy, and then click Copy Details.

  3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.

To locate a recovery password

  1. In Active Directory Users and Computers, right-click the domain container, and then click Find BitLocker Recovery Password.

  2. In the Find BitLocker Recovery Password dialog box, type the first eight characters of the recovery password in the Password ID (first 8 characters) box, and then click Search.