PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 11 min read

BitLocker Enterprise Deployment and Recovery Key Management: The Practitioner Guide for Intune, MBAM, and Active Directory Escrow

AES-XTS-256
is the recommended BitLocker cipher for OS and fixed drives on Windows 10 version 1511 and later. AES-CBC-256 is available for removable drives for compatibility. XTS mode provides stronger integrity protection against manipulation attacks on ciphertext
TPM + PIN
is the strongest BitLocker protector combination for endpoints. TPM alone is vulnerable to DMA attacks and cold boot attacks; adding a PIN requires physical presence and knowledge to decrypt, blocking the majority of theft-based attacks
Escrowed before encryption
is the only safe deployment order. BitLocker should not encrypt a volume until the recovery key has been confirmed as escrowed to AD or Intune. Encrypting first and escrowing after creates a window where device loss means permanent data loss
48-digit key
is the format of a BitLocker recovery key. Each key is tied to a specific key protector on a specific volume. When a key is used for recovery, it should be immediately rotated -- used keys are compromised keys

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

BitLocker is pre-installed on every Windows Pro, Enterprise, and Education edition. Most organizations have it partially deployed with inconsistent recovery key escrow, no PIN enforcement, and no compliance audit. The gap between 'BitLocker is on' and 'BitLocker is managed' is where the data loss events happen. This guide covers deployment through Intune (cloud-managed) and Active Directory (on-premises), recovery key escrow verification, TPM+PIN configuration, and the PowerShell queries that tell you which machines are actually encrypted.

Deploy BitLocker via Intune with Azure AD Key Escrow

Intune is the preferred management path for cloud-joined or hybrid-joined Windows 10/11 devices. Configuration is done through an Endpoint Protection profile.

Create the profile: Intune > Devices > Configuration > Create > Windows 10 and later > Endpoint Protection

Key settings under Windows Encryption:

  • Encrypt devices: Require
  • BitLocker OS drive policy: Configure
    • Startup authentication required: Yes
    • Compatible TPM startup: Allowed
    • Compatible TPM startup PIN: Required with TPM (enforces PIN)
    • OS drive recovery: Enable
    • Recovery key: Allow 48-digit recovery password
    • Save BitLocker recovery information to Azure AD: Required
    • Store recovery information in Azure AD before enabling BitLocker: Required (this is critical -- ensures escrow completes before encryption starts)
  • BitLocker fixed drive policy: Configure (same recovery key escrow settings)
  • BitLocker removable drive policy: Block write to drives not protected by BitLocker (optional but recommended)

Verify recovery key escrow in Azure AD:

# Using Microsoft Graph PowerShell
Connect-MgGraph -Scopes 'BitlockerKey.Read.All'
$keys = Get-MgInformationProtectionBitlockerRecoveryKey -All
$keys | Select-Object Id, CreatedDateTime, DeviceId | Format-Table
# Cross-reference DeviceId with your device inventory

Deploy BitLocker via Group Policy with Active Directory Key Escrow

For domain-joined devices managed via Group Policy:

Group Policy path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

OS Drive settings:

  • Require additional authentication at startup: Enabled
    • Require TPM: Not allowed
    • Configure TPM startup PIN: Require startup PIN with TPM
  • Choose how BitLocker-protected operating system drives can be recovered: Enabled
    • Allow data recovery agent: Yes
    • Configure 48-digit recovery password: Require
    • Save BitLocker recovery information to AD DS: Enabled
    • Do not enable BitLocker until recovery information is stored in AD DS: Enabled (escrow before encrypt)

Extend the AD schema (required for key escrow): Run on a domain controller from the Windows installation media:

cscript C:\Windows\System32\manage-bde.wsf -forcerecovery
# Or use the MBAM GPO templates which handle schema extension automatically

The recovery key lands in AD as a child object of the computer account. Verify:

Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} `
  -SearchBase (Get-ADComputer COMPUTERNAME).DistinguishedName `
  -Properties msFVE-RecoveryPassword | Select msFVE-RecoveryPassword
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Enforce TPM+PIN Authentication

TPM-only protection is the default and is insufficient for high-security environments. A TPM seals the encryption key and releases it automatically at boot if the measured boot sequence matches. This means the disk decrypts without user interaction -- protecting against offline attacks but not against a powered-on stolen device or DMA-based key extraction.

TPM+PIN requires a 6-20 character PIN at every boot, preventing decryption without physical presence.

Configure minimum PIN length: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Configure minimum PIN length for startup: 8 (minimum; use 12 for high-sensitivity endpoints)

Allow enhanced PIN (alphanumeric):

  • Allow enhanced PINs for startup: Enabled

Enforce via Intune (see above) or set via Group Policy as above. Note: TPM+PIN requires the user to enter the PIN at every boot including after updates and patches. Factor this into your patch restart workflow -- machines that restart remotely after patching will hang at the pre-boot PIN prompt until a user physically (or via IPMI/iLO) enters the PIN. Plan for automated PIN bypass in headless server environments using the Network Unlock feature.

BitLocker Compliance Auditing

Knowing which machines have BitLocker enabled (and whether the recovery keys are escrowed) requires active auditing. 'BitLocker is in your policy' is not the same as 'BitLocker is encrypting your devices.'

Audit via PowerShell (on-premises, run as domain admin):

# Get all computers in AD
$computers = Get-ADComputer -Filter * -Properties Name, OperatingSystem
$results = foreach ($c in $computers) {
    try {
        $keys = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} `
            -SearchBase $c.DistinguishedName -Properties Created -ErrorAction Stop
        [PSCustomObject]@{
            Computer = $c.Name
            OS       = $c.OperatingSystem
            HasKey   = ($keys.Count -gt 0)
            KeyCount = $keys.Count
            LastKey  = ($keys | Sort-Object Created | Select -Last 1).Created
        }
    } catch {
        [PSCustomObject]@{
            Computer = $c.Name
            OS       = $c.OperatingSystem
            HasKey   = $false
            KeyCount = 0
            LastKey  = $null
        }
    }
}
$results | Where-Object HasKey -eq $false | Export-Csv 'no-bitlocker-key.csv' -NoTypeInformation

Audit via Intune: Devices > Monitor > Encryption report shows encryption status and key escrow status per device. Filter by 'Not encrypted' or 'Key escrow: Not ready' to identify gaps.

Rotate recovery keys after any use:

# Force key rotation after a recovery
manage-bde -protectors -adbackup C: -id {KEYID}
# Or via Intune: rotate BitLocker key from the device blade

The bottom line

BitLocker deployment is the easy part -- the management is where organizations fail. The three requirements for a defensible BitLocker program: recovery keys escrowed to AD or Intune before encryption starts (not after), TPM+PIN enforced on laptops and high-sensitivity endpoints, and a quarterly compliance audit confirming every managed device has an escrowed key. Any used recovery key should be rotated immediately -- a used key is a compromised key.

Frequently asked questions

Is TPM-only BitLocker protection secure enough?

It depends on your threat model. TPM-only protection defends against offline attacks -- someone pulling the drive and reading it in another machine. It does not defend against an attacker with access to a running or recently-powered-off system, DMA attacks via Thunderbolt or PCIe interfaces, or evil maid attacks against the boot sequence. For laptops, TPM+PIN is the recommended standard because theft is a realistic scenario. For desktops in physically secured server rooms, TPM-only may be acceptable. For highly regulated environments, TPM+PIN on all endpoints is the baseline.

What happens to BitLocker keys when a device leaves Azure AD?

The recovery keys stored in Azure AD are tied to the device object. If the device object is deleted from Azure AD (for example, when wiping and re-registering), the recovery keys associated with that device object are deleted with it. Before decommissioning or re-imaging a device, rotate the recovery keys and confirm the new keys are escrowed before the old device object is removed. For Intune-managed devices, the Retire or Wipe action handles this cleanly, but ad-hoc Azure AD object deletions do not.

Can BitLocker be bypassed?

Not easily, with TPM+PIN enabled. The known attack surface includes: cold boot attacks (extracting keys from RAM while powered on, mitigated by memory scrubbing on shutdown), DMA attacks via Thunderbolt (mitigated by Kernel DMA Protection in firmware settings), and supply chain attacks against the TPM or firmware. TPM-only BitLocker without Secure Boot has been bypassed by attackers who modified the boot sequence to extract the key. With Secure Boot + TPM + PIN, the practical attack surface is reduced to physical access during an active session, which is a manageable residual risk for most organizations.

How do I recover a BitLocker-locked device without the recovery key?

Without the recovery key, the data is not recoverable. This is by design. If the key is not escrowed in AD or Intune, and the user does not have the key, the only option is wiping the device. This is why 'Do not enable BitLocker until recovery information is stored in AD DS' is a critical policy setting. If you are in this situation on a live device: check AD (msFVE-RecoveryInformation under the computer object), check Intune (Devices > device blade > Recovery keys), and check whether the user has the key saved in their personal Microsoft account (if BitLocker was set up outside of enterprise policy).

Does BitLocker protect against ransomware?

No. BitLocker protects against offline data theft -- someone physically taking the drive. Ransomware runs while the OS is booted, at which point BitLocker has already decrypted the volume for the OS to use. The ransomware encrypts files on top of the already-decrypted filesystem. BitLocker and ransomware protection are orthogonal controls addressing different threat scenarios.

How does BitLocker Network Unlock work and when should I use it?

BitLocker Network Unlock allows BitLocker-encrypted machines to unlock automatically when connected to a trusted corporate network, without requiring a PIN or USB key at boot. When the machine boots, the BitLocker boot agent sends an encrypted unlock request to a Windows Deployment Services (WDS) server on the network. If the machine's TPM measurements are valid and the network connection is authenticated (via a certificate in the machine's TPM), the WDS server provides the unlock protector. This enables servers and other devices that must restart unattended (after patches, power events) to boot automatically when on-premises, while still requiring a recovery key if booted off-network or if the boot measurements change. Network Unlock requires: WDS server on the same network segment, BitLocker Network Unlock feature installed on the WDS server, a Network Unlock certificate distributed to endpoints via Group Policy, and TPM 2.0 on client machines with a valid network boot path. Use Network Unlock for servers and datacenter systems that cannot accept a PIN at boot; use TPM-only unlock for workstations in controlled environments; use TPM + PIN for laptops that could be removed from the facility.

Sources & references

  1. Microsoft: BitLocker deployment and administration guide
  2. Microsoft: Manage BitLocker with Intune
  3. Microsoft: BitLocker recovery guide

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.