Recover BitLocker keys from AD Recycle Bin


 You have AD with Recycle Bin enabled.

You are storing BitLocker recovery keys in AD

You have deleted a computer object with BitLocker Recovery information on it

You then restored that computer account from recycle bin.

No BitLocker Recovery information exists on the recovered computer object !!!!! What the heck ?!


Going back to basics…. do you know where the BitLocker information is stored for a computer object ? They are stored as a child object below the computer object itself.


Now, when the computer get deleted from Active Directory and moved to the AD recycle bin, the links between the child objects and the parent are broken. In the AD recycle bin you will see both computer objects and child objects randomly stored there. If you put your hand in this recycle bin and pull a computer object, you will not see any of its child objects attached to it any more. This is exactly what happened when you restored the AD computer from recycle bin, you will get the computer object without its child objects.



Lucky for all of us, each child objects of type (BitLocker Recovery Information) will have an attribute called (lastKnownParent). So theoretically if you go to the recycle bin and asked ” i have a parent called ComputerX, so which of you guys are the sons of this computer (which of you has the lastknownParent = ComputerX).

Download Script

Go to your Domain Controller or any machine with ActiveDirectory PowerShell Module, open PowerShell using a domain administrator account (only domain admin can restore from AD recycle bin), run the script from there. Make sure AD PowerShell module exist on that machine.

Do not forget that you may need to run Set-ExecutionPolicy Unrestricted on PowerShell to allow script execution.

I have no single credit writing this script. You can find the script here written by (Norman Bauer). I have also copied the script to my repository so you can download it directly .

Download the script  BitLockerInfo_From_RecycleBin

How does the script work

  • It will ask you about the name of computer to restore
  • Validation check : checking if that computer exists in AD first
  • If not, then the computer may be in recycle bin, search there and report if it is not there also ($deleted = Get-ADObject -IncludeDeletedObjects -Filter {sAMAccountName -eq $computername -and Deleted -eq $True}
  • If the computer in recycle bin, we will going to restore it ($deleted | Restore-ADObject)
  • Then we will search the recycle bin for child objects that have LastKnownParent equals the DistinguishedName for the restored computer ($recoveryinfos = Get-ADObject -IncludeDeletedObjects -Filter {lastKnownParent -eq $restoredobject.DistinguishedName -and Deleted -eq $True -and objectClass -eq ‘msFVE-RecoveryInformation’})
  • If found, for each child object ForEach($recoveryinfo in $recoveryinfos) we are going to  $recoveryinfo | Restore-ADObject