Not able to retrieve bitlocker key

Hi Everyone

I am having some issues trying to retrieve bitlocker information from the DC.

$computer = get-adcomputer computername

Get-ADObject -Filter ‘ObjectClass -eq “msFVE-RecoveryInformation”’ -SearchBase $Computer.DistinguishedName -Properties “msFVE-RecoveryPassword” | select msFVE-RecoveryPassword

I have used this code twice to successfully retrieve the bitlocker key, the result of the bitlocker keys will be ordered in descending order.

However recently on the same DC I am unable to retrieve the information. I am able to see the bitlocker information when I am opening up the AD to manually look up the information but running the code recently doesn’t return any results whereas it did before. No errors come up instead it just returns back to the prompt. I have located other code for retrieving bitlocker key but this too does not return any information to me, again it just takes me back to the prompt without any errors.

I am running this query on a Server 2008 R2 Standard which is hosted on a VM.

Greatly appreciate if anyone can help


I’d have to look at the specific permissions on that attribute. It’s possible some patch changed them so they can’t be queried in the same way.

Thanks for the tip Don, I looked at a number of patches that had taken place last month on the server. A number of security patches that are for .net framework 3.5.1 but I was not able to find the relevant information on the MS site to provide me more detailed information. I am going to ask the MS community to see what help they can provide.

Ok i had another further look into this. For some reason the code is working on 1 of the DC but not for the other. Though both DCs are Windows Server 2008 R2 Standard. Both I can see the bitlocker key in the AD GUI but not sure why the powershell code works on one DC but not the other. With no errors on the 2nd DC as mentioned earlier.

I think this thread can be closed. Thanks for replying Don.:slight_smile:

Is there any chance you’re running PowerShell as “Admin” on one DC but not the other? In 2008 and above a lot of attributes are hidden unless you run your queries as Admin.


What happens when you target the bad DC from the good DC? Try this (where BADDC is the name of your failing server):

Get-ADObject -Filter ‘ObjectClass -eq “msFVE-RecoveryInformation”’ -SearchBase $Computer.DistinguishedName -Properties “msFVE-RecoveryPassword” -Server BADDC | select msFVE-RecoveryPassword

Do you get the expected results? How about when you do the opposite and query the good DC from the bad one?

I only just saw David’s reply today. I cannot remember the exact reason the system admin colleague pointed out to me that day the reason it was not showing up and I do not have the book he referred to as well. But yes it is to my understanding like a hidden attribute on the one server where I cannot query the information. It did not occur to me to try querying from the good DC but since changing jobs I do not have the opportunity to try this but many thanks for replying and making the suggestion.