Install Bitlocker Recovery Password Viewer (windows 10)
Marq Pargman
Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, see this Microsoft web page: Support is ending for some versions of Windows.
This article describes how to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. The BitLocker Drive Encryption feature is a data protection feature that's included with the following versions of Windows Vista:
This article also provides information about optional use of the BitLocker Recovery Password Viewer for XP-based computers.
If you want to obtain the BitLocker Recovery Password Viewer tool for Windows XP/Windows Server 2003, please contact a Microsoft Support Professional.
You can use this tool to help locate BitLocker Drive Encryption recovery passwords for Windows Vista-based computers in Active Directory Domain Services (AD DS). The Active Directory Users and Computers Microsoft Management Console (MMC) snap-in must be installed via the Remote Server Administrator Tools (RSAT).
To use this tool to retrieve BitLocker Drive Encryption passwords, you must use an account that has sufficient rights. You must be a domain administrator, or you must be granted sufficient rights by a domain administrator.
The BitLocker Recovery Password Viewer lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that's stored on a volume that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers MMC snap-in. After you install this tool, you can examine the Properties dialog box of a computer object to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest (multiple domains).
To install the BitLocker Recovery Password Viewer tool successfully, the installation program must update the Active Directory configuration database.The installation program adds the following two attributes to AD DS if these two attributes aren't already present.
These changes to AD DS affect every domain in the forest. You must have Enterprise Administrator rights to modify the Active Directory configuration database. However, after the BitLocker Recovery Password Viewer tool has been installed in a forest, you only have to have Read permissions to the Active Directory configuration database for later installations of the BitLocker Recovery Password Viewer tool. By default, all domain users have Read permissions for the Active Directory configuration database.
The installation rights are the same for Windows XP and Windows Vista. Use the following information to help troubleshoot installation error messages that you may receive when you install the BitLocker Recovery Password Viewer tool:
You receive this error message if you installed the Windows XP version of the BitLocker Recovery Password Viewer tool on a Windows Vista-based computer. You must install the Windows Vista-based version of the tool on Windows Vista-based computers.
You receive this error message if you don't have sufficient rights to install the BitLocker Recovery Password Viewer tool on a Windows XP-based computer. You must have local Administrator rights to install this tool.
You may receive this error message when you try to install the first instance of the BitLocker Recovery Password Viewer tool in a forest. For the first installation of this tool, you must have Read and Write permissions to the computer-Display object and to the domainDNS-Display object in AD DS. Also, you must have Read and Write permissions to the parent containers of these objects in the Active Directory configuration database. By default, members of the Enterprise Administrators group have Read and Write permissions to these objects.
You may receive this error message when you try to perform a second or later installation of the BitLocker Recovery Password Viewer tool in a domain. To perform a second or later installation of this tool, you must have at least Read permissions to the computer-Display object and to the domainDNS-Display object in AD DS. Also, you must have at least Read permissions to the parent containers of these objects in the Active Directory configuration database.
The BitLocker Recovery Password Viewer tool extends the Active Directory Users and Computers MMC snap-in. To start Active Directory Users and Computers, click Start > Run, type dsa.msc, and then click OK.
In the ComputerName Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the particular computer.
A1: When you start the computer to the BitLocker Recovery screen, Windows Vista gives you a drive label and a password ID. You can use this information together with the BitLocker Recovery Password Viewer tool to locate the matching BitLocker recovery password that is stored in AD DS.
If a user who doesn't have sufficient rights installs the BitLocker Recovery Password Viewer tool, that user can't locate any recovery passwords for any computer. Also, if you use the BitLocker Recovery Password Viewer tool to search for recovery passwords among all the domains in a forest, results are returned only from the domains in which you have sufficient rights.
The BitLocker Recovery Password Viewer tool cannot distinguish between a situation in which no recovery passwords exist for a particular computer and a situation in which you do not have sufficient rights to view the recovery password for a particular computer.
A3: Usually, the BitLocker recovery passwords for a particular computer appear on the BitLocker Recovery tab of the ComputerName Properties dialog box for that computer. However, if a computer is renamed, you may be unable to locate the correct computer. This is because the drive label information still contains the original computer name. In this situation, you must use the password ID information to search for the recovery password.
A4: This is a design decision that's intended to help simplify searching for recovery passwords without sacrificing the accuracy of the search operation. Tests that randomly generated over one million password IDs typically yielded only 100 duplicates for the first eight characters of the password ID. So even if you have one million recovery passwords in a search domain, it's unlikely that two recovery passwords will be returned by a single search operation. Additionally, it's even more unlikely that more than two recovery passwords will be returned in the same search.
We recommend that you examine the returned recovery password to make sure that it matches the whole password ID that you used to perform the search. This is to verify that you have obtained the unique recovery password.
A5: Generally, it takes no more than several seconds to search for a password ID across all the domains of a forest. However, you may experience decreased performance if the following conditions are true:
The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT) for Windows Server 2012 that are available to install when you install the BitLocker feature. This tool lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
If a device or drive fails to unlock using the configured BitLocker mechanism, users may be able to self-recover it. If self-recovery isn't an option, or the user is unsure how to proceed, the helpdesk should have procedures in place to retrieve recovery information quickly and securely.
This article outlines the process of obtaining BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices. It's assumed that the reader is already familiar with configuring devices to automatically back up BitLocker recovery information, and the available BitLocker recovery options. For more information, see the BitLocker recovery overview article.
If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the device, especially during travel. For example, if both the device and the recovery items are in the same bag, it would be easy for an unauthorized user to access the device. Another policy to consider is having users contact the helpdesk before or after performing self-recovery so that the root cause can be identified.
If BitLocker recovery keys are stored in Microsoft Entra ID, users can access them using the following URL: From the Devices tab, users can select a Windows device that they own, and select the option View BitLocker Keys.
By default, users can retrieve their BitLocker reecovery keys from Microsoft Entra ID. This behavior can be modified with the option Restrict users from recovering the BitLocker key(s) for their owned devices. For more information, see Restrict member users' default permissions.
d3342ee215