BitLocker Enterprise Deployment and Recovery Key Management: The Practitioner Guide for Intune, MBAM, and Active Directory Escrow

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
BitLocker is pre-installed on every Windows Pro, Enterprise, and Education edition. Most organizations have it partially deployed with inconsistent recovery key escrow, no PIN enforcement, and no compliance audit. The gap between 'BitLocker is on' and 'BitLocker is managed' is where the data loss events happen. This guide covers deployment through Intune (cloud-managed) and Active Directory (on-premises), recovery key escrow verification, TPM+PIN configuration, and the PowerShell queries that tell you which machines are actually encrypted.
Deploy BitLocker via Intune with Azure AD Key Escrow
Intune is the preferred management path for cloud-joined or hybrid-joined Windows 10/11 devices. Configuration is done through an Endpoint Protection profile.
Create the profile:
Intune > Devices > Configuration > Create > Windows 10 and later > Endpoint Protection
Key settings under Windows Encryption:
- Encrypt devices: Require
- BitLocker OS drive policy: Configure
- Startup authentication required: Yes
- Compatible TPM startup: Allowed
- Compatible TPM startup PIN: Required with TPM (enforces PIN)
- OS drive recovery: Enable
- Recovery key: Allow 48-digit recovery password
- Save BitLocker recovery information to Azure AD: Required
- Store recovery information in Azure AD before enabling BitLocker: Required (this is critical -- ensures escrow completes before encryption starts)
- BitLocker fixed drive policy: Configure (same recovery key escrow settings)
- BitLocker removable drive policy: Block write to drives not protected by BitLocker (optional but recommended)
Verify recovery key escrow in Azure AD:
# Using Microsoft Graph PowerShell
Connect-MgGraph -Scopes 'BitlockerKey.Read.All'
$keys = Get-MgInformationProtectionBitlockerRecoveryKey -All
$keys | Select-Object Id, CreatedDateTime, DeviceId | Format-Table
# Cross-reference DeviceId with your device inventory
Deploy BitLocker via Group Policy with Active Directory Key Escrow
For domain-joined devices managed via Group Policy:
Group Policy path:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
OS Drive settings:
- Require additional authentication at startup: Enabled
- Require TPM: Not allowed
- Configure TPM startup PIN: Require startup PIN with TPM
- Choose how BitLocker-protected operating system drives can be recovered: Enabled
- Allow data recovery agent: Yes
- Configure 48-digit recovery password: Require
- Save BitLocker recovery information to AD DS: Enabled
- Do not enable BitLocker until recovery information is stored in AD DS: Enabled (escrow before encrypt)
Extend the AD schema (required for key escrow): Run on a domain controller from the Windows installation media:
cscript C:\Windows\System32\manage-bde.wsf -forcerecovery
# Or use the MBAM GPO templates which handle schema extension automatically
The recovery key lands in AD as a child object of the computer account. Verify:
Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} `
-SearchBase (Get-ADComputer COMPUTERNAME).DistinguishedName `
-Properties msFVE-RecoveryPassword | Select msFVE-RecoveryPassword
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Enforce TPM+PIN Authentication
TPM-only protection is the default and is insufficient for high-security environments. A TPM seals the encryption key and releases it automatically at boot if the measured boot sequence matches. This means the disk decrypts without user interaction -- protecting against offline attacks but not against a powered-on stolen device or DMA-based key extraction.
TPM+PIN requires a 6-20 character PIN at every boot, preventing decryption without physical presence.
Configure minimum PIN length:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- Configure minimum PIN length for startup: 8 (minimum; use 12 for high-sensitivity endpoints)
Allow enhanced PIN (alphanumeric):
- Allow enhanced PINs for startup: Enabled
Enforce via Intune (see above) or set via Group Policy as above. Note: TPM+PIN requires the user to enter the PIN at every boot including after updates and patches. Factor this into your patch restart workflow -- machines that restart remotely after patching will hang at the pre-boot PIN prompt until a user physically (or via IPMI/iLO) enters the PIN. Plan for automated PIN bypass in headless server environments using the Network Unlock feature.
BitLocker Compliance Auditing
Knowing which machines have BitLocker enabled (and whether the recovery keys are escrowed) requires active auditing. 'BitLocker is in your policy' is not the same as 'BitLocker is encrypting your devices.'
Audit via PowerShell (on-premises, run as domain admin):
# Get all computers in AD
$computers = Get-ADComputer -Filter * -Properties Name, OperatingSystem
$results = foreach ($c in $computers) {
try {
$keys = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} `
-SearchBase $c.DistinguishedName -Properties Created -ErrorAction Stop
[PSCustomObject]@{
Computer = $c.Name
OS = $c.OperatingSystem
HasKey = ($keys.Count -gt 0)
KeyCount = $keys.Count
LastKey = ($keys | Sort-Object Created | Select -Last 1).Created
}
} catch {
[PSCustomObject]@{
Computer = $c.Name
OS = $c.OperatingSystem
HasKey = $false
KeyCount = 0
LastKey = $null
}
}
}
$results | Where-Object HasKey -eq $false | Export-Csv 'no-bitlocker-key.csv' -NoTypeInformation
Audit via Intune:
Devices > Monitor > Encryption report shows encryption status and key escrow status per device. Filter by 'Not encrypted' or 'Key escrow: Not ready' to identify gaps.
Rotate recovery keys after any use:
# Force key rotation after a recovery
manage-bde -protectors -adbackup C: -id {KEYID}
# Or via Intune: rotate BitLocker key from the device blade
The bottom line
BitLocker deployment is the easy part -- the management is where organizations fail. The three requirements for a defensible BitLocker program: recovery keys escrowed to AD or Intune before encryption starts (not after), TPM+PIN enforced on laptops and high-sensitivity endpoints, and a quarterly compliance audit confirming every managed device has an escrowed key. Any used recovery key should be rotated immediately -- a used key is a compromised key.
Frequently asked questions
Is TPM-only BitLocker protection secure enough?
It depends on your threat model. TPM-only protection defends against offline attacks -- someone pulling the drive and reading it in another machine. It does not defend against an attacker with access to a running or recently-powered-off system, DMA attacks via Thunderbolt or PCIe interfaces, or evil maid attacks against the boot sequence. For laptops, TPM+PIN is the recommended standard because theft is a realistic scenario. For desktops in physically secured server rooms, TPM-only may be acceptable. For highly regulated environments, TPM+PIN on all endpoints is the baseline.
What happens to BitLocker keys when a device leaves Azure AD?
The recovery keys stored in Azure AD are tied to the device object. If the device object is deleted from Azure AD (for example, when wiping and re-registering), the recovery keys associated with that device object are deleted with it. Before decommissioning or re-imaging a device, rotate the recovery keys and confirm the new keys are escrowed before the old device object is removed. For Intune-managed devices, the Retire or Wipe action handles this cleanly, but ad-hoc Azure AD object deletions do not.
Can BitLocker be bypassed?
Not easily, with TPM+PIN enabled. The known attack surface includes: cold boot attacks (extracting keys from RAM while powered on, mitigated by memory scrubbing on shutdown), DMA attacks via Thunderbolt (mitigated by Kernel DMA Protection in firmware settings), and supply chain attacks against the TPM or firmware. TPM-only BitLocker without Secure Boot has been bypassed by attackers who modified the boot sequence to extract the key. With Secure Boot + TPM + PIN, the practical attack surface is reduced to physical access during an active session, which is a manageable residual risk for most organizations.
How do I recover a BitLocker-locked device without the recovery key?
Without the recovery key, the data is not recoverable. This is by design. If the key is not escrowed in AD or Intune, and the user does not have the key, the only option is wiping the device. This is why 'Do not enable BitLocker until recovery information is stored in AD DS' is a critical policy setting. If you are in this situation on a live device: check AD (msFVE-RecoveryInformation under the computer object), check Intune (Devices > device blade > Recovery keys), and check whether the user has the key saved in their personal Microsoft account (if BitLocker was set up outside of enterprise policy).
Does BitLocker protect against ransomware?
No. BitLocker protects against offline data theft -- someone physically taking the drive. Ransomware runs while the OS is booted, at which point BitLocker has already decrypted the volume for the OS to use. The ransomware encrypts files on top of the already-decrypted filesystem. BitLocker and ransomware protection are orthogonal controls addressing different threat scenarios.
How does BitLocker Network Unlock work and when should I use it?
BitLocker Network Unlock allows BitLocker-encrypted machines to unlock automatically when connected to a trusted corporate network, without requiring a PIN or USB key at boot. When the machine boots, the BitLocker boot agent sends an encrypted unlock request to a Windows Deployment Services (WDS) server on the network. If the machine's TPM measurements are valid and the network connection is authenticated (via a certificate in the machine's TPM), the WDS server provides the unlock protector. This enables servers and other devices that must restart unattended (after patches, power events) to boot automatically when on-premises, while still requiring a recovery key if booted off-network or if the boot measurements change. Network Unlock requires: WDS server on the same network segment, BitLocker Network Unlock feature installed on the WDS server, a Network Unlock certificate distributed to endpoints via Group Policy, and TPM 2.0 on client machines with a valid network boot path. Use Network Unlock for servers and datacenter systems that cannot accept a PIN at boot; use TPM-only unlock for workstations in controlled environments; use TPM + PIN for laptops that could be removed from the facility.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
