How to Export BitLocker Recovery Keys from Active Directory Using PowerShell

First, you need to ensure the ActiveDirectory PowerShell module is available on your system. This module is part of the Remote Server Administration Tools (RSAT).

On Windows 10/11, install RSAT tools using this command:

Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

On Windows Server, the module is typically installed by default. Verify the module is available:

Get-Module -ListAvailable -Name ActiveDirectory

Import the module and test domain connectivity:

Import-Module ActiveDirectory
Get-ADDomain

Create a comprehensive PowerShell script that will search Active Directory for BitLocker recovery information. Open your favorite text editor and create a new file called Export-BitLockerKeys.ps1:

param(
    [string]$SearchBase = "",
    [string]$OutputPath = "C:\temp\BitLockerKeys.csv"
)

function Export-BitLockerKeys {
    param([string]$SearchBase, [string]$OutputPath)

    try {
        Write-Host "Starting BitLocker recovery key export..." -ForegroundColor Green

        # Ensure output directory exists
        $outputDir = Split-Path $OutputPath -Parent
        if (!(Test-Path $outputDir)) {
            New-Item -ItemType Directory -Path $outputDir -Force
            Write-Host "Created output directory: $outputDir" -ForegroundColor Yellow
        }

        # Set up search parameters
        $searchParams = @{
            Filter = "*"
            Properties = @('Name', 'DistinguishedName', 'OperatingSystem', 'LastLogonDate')
        }
        if ($SearchBase) { 
            $searchParams.SearchBase = $SearchBase
            Write-Host "Searching in OU: $SearchBase" -ForegroundColor Yellow 
        }

        # Get all computer objects
        $computers = Get-ADComputer @searchParams
        Write-Host "Found $($computers.Count) computer objects" -ForegroundColor Yellow

        $results = @()
        $counter = 0
        
        foreach ($computer in $computers) {
            $counter++
            Write-Progress -Activity "Processing computers" -Status "Processing $($computer.Name)" -PercentComplete (($counter / $computers.Count) * 100)
            
            # Search for BitLocker recovery information objects
            $recoveryInfo = Get-ADObject -Filter "objectClass -eq 'msFVE-RecoveryInformation'" -SearchBase $computer.DistinguishedName -Properties *
            
            if ($recoveryInfo) {
                foreach ($recovery in $recoveryInfo) {
                    $results += [PSCustomObject]@{
                        ComputerName = $computer.Name
                        RecoveryPassword = $recovery.'msFVE-RecoveryPassword'
                        RecoveryID = $recovery.'msFVE-RecoveryGuid'
                        CreationTime = $recovery.whenCreated
                        DistinguishedName = $computer.DistinguishedName
                        OperatingSystem = $computer.OperatingSystem
                        VolumeGUID = $recovery.'msFVE-VolumeGuid'
                        LastLogon = $computer.LastLogonDate
                    }
                }
            }
        }

        Write-Progress -Activity "Processing computers" -Completed

        if ($results.Count -gt 0) {
            $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
            Write-Host "Export completed! $($results.Count) recovery keys exported to $OutputPath" -ForegroundColor Green
            Write-Host "File size: $([math]::Round((Get-Item $OutputPath).Length / 1KB, 2)) KB" -ForegroundColor Cyan
        } else {
            Write-Host "No BitLocker recovery keys found in Active Directory." -ForegroundColor Yellow
        }
    } catch {
        Write-Error "Error during export: $($_.Exception.Message)"
    }
}

# Execute the function
Export-BitLockerKeys -SearchBase $SearchBase -OutputPath $OutputPath

Save this script to a location like C:\Scripts\Export-BitLockerKeys.ps1.

Before running the script, you need to ensure PowerShell can execute it. Check your current execution policy:

Get-ExecutionPolicy

If it returns Restricted, you'll need to change it. Set the execution policy to allow local scripts:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Alternatively, for a more restrictive approach, you can bypass the policy for this specific script execution:

PowerShell.exe -ExecutionPolicy Bypass -File "C:\Scripts\Export-BitLockerKeys.ps1"

Execute the script to export BitLocker keys from the entire domain. Navigate to your script directory and run:

cd C:\Scripts
.\Export-BitLockerKeys.ps1 -OutputPath "C:\Reports\BitLockerKeys_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"

This command will:

• Search the entire domain for computer objects
• Extract BitLocker recovery information for each computer
• Create a timestamped CSV file in the Reports directory

Monitor the progress as the script processes each computer. For large domains, this may take several minutes.

$csvFile = Get-ChildItem "C:\Reports\BitLockerKeys_*.csv" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
Import-Csv $csvFile.FullName | Select-Object -First 5 | Format-Table

You should see columns for ComputerName, RecoveryPassword, RecoveryID, CreationTime, and other fields.

For better organization and performance, you can target specific OUs instead of the entire domain. First, identify your target OU's distinguished name:

Get-ADOrganizationalUnit -Filter "Name -like '*Workstations*'" | Select-Object Name, DistinguishedName

Run the script targeting a specific OU:

.\Export-BitLockerKeys.ps1 -SearchBase "OU=Workstations,OU=Computers,DC=yourdomain,DC=com" -OutputPath "C:\Reports\BitLocker_Workstations.csv"

You can also target multiple OUs by running the script multiple times with different SearchBase parameters:

# Export from Workstations OU
.\Export-BitLockerKeys.ps1 -SearchBase "OU=Workstations,DC=yourdomain,DC=com" -OutputPath "C:\Reports\BitLocker_Workstations.csv"

# Export from Laptops OU
.\Export-BitLockerKeys.ps1 -SearchBase "OU=Laptops,DC=yourdomain,DC=com" -OutputPath "C:\Reports\BitLocker_Laptops.csv"

$workstationsCount = (Import-Csv "C:\Reports\BitLocker_Workstations.csv").Count
Write-Host "Workstations OU: $workstationsCount recovery keys found" -ForegroundColor Green

Once you have your CSV export, it's important to analyze the data for completeness and accuracy. Load the CSV and perform basic analysis:

$bitlockerData = Import-Csv "C:\Reports\BitLockerKeys_20260316_143022.csv"

# Display summary statistics
Write-Host "Total recovery keys exported: $($bitlockerData.Count)" -ForegroundColor Green
Write-Host "Unique computers with keys: $($bitlockerData | Select-Object ComputerName -Unique | Measure-Object).Count" -ForegroundColor Cyan

# Show computers with multiple recovery keys (multiple drives or key rotations)
$multipleKeys = $bitlockerData | Group-Object ComputerName | Where-Object {$_.Count -gt 1}
if ($multipleKeys) {
    Write-Host "Computers with multiple recovery keys: $($multipleKeys.Count)" -ForegroundColor Yellow
    $multipleKeys | Select-Object Name, Count | Format-Table
}

# Check for recent key creations (last 30 days)
$recentKeys = $bitlockerData | Where-Object {[DateTime]$_.CreationTime -gt (Get-Date).AddDays(-30)}
Write-Host "Recovery keys created in last 30 days: $($recentKeys.Count)" -ForegroundColor Magenta

Validate the recovery password format (should be 48 digits in 8 groups of 6):

# Check for properly formatted recovery passwords
$invalidPasswords = $bitlockerData | Where-Object {$_.RecoveryPassword -notmatch '^\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}-\d{6}$'}
if ($invalidPasswords) {
    Write-Warning "Found $($invalidPasswords.Count) entries with invalid recovery password format"
    $invalidPasswords | Select-Object ComputerName, RecoveryPassword | Format-Table
}

Enhance your BitLocker reporting with advanced filtering and formatting. Create a comprehensive report script:

# Advanced BitLocker Report Generation
$bitlockerData = Import-Csv "C:\Reports\BitLockerKeys_20260316_143022.csv"

# Create summary report
$summaryReport = @{
    'Total Recovery Keys' = $bitlockerData.Count
    'Unique Computers' = ($bitlockerData | Select-Object ComputerName -Unique).Count
    'Windows 11 Systems' = ($bitlockerData | Where-Object {$_.OperatingSystem -like "*Windows 11*"}).Count
    'Windows 10 Systems' = ($bitlockerData | Where-Object {$_.OperatingSystem -like "*Windows 10*"}).Count
    'Keys Created This Year' = ($bitlockerData | Where-Object {[DateTime]$_.CreationTime -gt (Get-Date -Month 1 -Day 1)}).Count
}

# Display summary
$summaryReport.GetEnumerator() | Sort-Object Name | Format-Table -AutoSize

# Find computers without recent logons (potential inactive systems)
$staleComputers = $bitlockerData | Where-Object {
    $_.LastLogon -and [DateTime]$_.LastLogon -lt (Get-Date).AddDays(-90)
} | Select-Object ComputerName, LastLogon, OperatingSystem | Sort-Object LastLogon

if ($staleComputers) {
    Write-Host "Computers with BitLocker keys but no logon in 90+ days: $($staleComputers.Count)" -ForegroundColor Yellow
    $staleComputers | Export-Csv "C:\Reports\BitLocker_StaleComputers.csv" -NoTypeInformation
}

# Create filtered exports by OS
$windows11Keys = $bitlockerData | Where-Object {$_.OperatingSystem -like "*Windows 11*"}
$windows10Keys = $bitlockerData | Where-Object {$_.OperatingSystem -like "*Windows 10*"}

if ($windows11Keys) {
    $windows11Keys | Export-Csv "C:\Reports\BitLocker_Windows11.csv" -NoTypeInformation
    Write-Host "Windows 11 systems exported: $($windows11Keys.Count) keys" -ForegroundColor Green
}

if ($windows10Keys) {
    $windows10Keys | Export-Csv "C:\Reports\BitLocker_Windows10.csv" -NoTypeInformation
    Write-Host "Windows 10 systems exported: $($windows10Keys.Count) keys" -ForegroundColor Green
}

Get-ChildItem "C:\Reports\BitLocker_*.csv" | Select-Object Name, Length, LastWriteTime | Format-Table

Set up automated BitLocker key exports using Windows Task Scheduler for regular reporting. First, create a wrapper script that includes logging:

# Save as C:\Scripts\Scheduled-BitLockerExport.ps1
$logPath = "C:\Logs\BitLockerExport.log"
$reportPath = "C:\Reports\Scheduled"

# Ensure directories exist
if (!(Test-Path "C:\Logs")) { New-Item -ItemType Directory -Path "C:\Logs" -Force }
if (!(Test-Path $reportPath)) { New-Item -ItemType Directory -Path $reportPath -Force }

# Start logging
Start-Transcript -Path $logPath -Append

try {
    Write-Host "Starting scheduled BitLocker export at $(Get-Date)" -ForegroundColor Green
    
    # Run the export
    $outputFile = "$reportPath\BitLocker_Weekly_$(Get-Date -Format 'yyyyMMdd').csv"
    & "C:\Scripts\Export-BitLockerKeys.ps1" -OutputPath $outputFile
    
    # Clean up old reports (keep last 4 weeks)
    Get-ChildItem $reportPath -Filter "BitLocker_Weekly_*.csv" | 
        Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-28)} | 
        Remove-Item -Force
    
    Write-Host "Scheduled export completed successfully" -ForegroundColor Green
} catch {
    Write-Error "Scheduled export failed: $($_.Exception.Message)"
} finally {
    Stop-Transcript
}

Create the scheduled task using PowerShell:

# Create scheduled task for weekly BitLocker export
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File 'C:\Scripts\Scheduled-BitLockerExport.ps1'"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At "02:00AM"
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

Register-ScheduledTask -TaskName "BitLocker Recovery Key Export" -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Description "Weekly export of BitLocker recovery keys from Active Directory"

Get-ScheduledTask -TaskName "BitLocker Recovery Key Export" | Format-List
Start-ScheduledTask -TaskName "BitLocker Recovery Key Export"

# Check the log file after a few minutes
Get-Content "C:\Logs\BitLockerExport.log" -Tail 10