Skip navigation
Manage BitLocker in an Enterprise

Manage BitLocker in an Enterprise

Q. How can I manage BitLocker in an enterprise environment?

A. Windows client has long included BitLocker which is a volume level encryption technology. As part of BitLocker a Full Volume Encryption Key (FVEK) is used to secure the encryption of the volume which is itself encrypted with another key (the Volume Master Key, VMK which acts as a key protector) and that encrypted value stored on the disk. The VMK is typically protected by a TPM in the computer. If something were to happen to the TPM or perhaps the disk moved to another machine the VMK would be unavailable and therefore the FVEK could not be decrypted rendering the data on the disk un-decryptable and useless. For this reason a recovery key is also created during the BitLocker deployment process that is also used as a key protector for the FVEK enabling it to be accessed if required. The recovery key should be kept very secure and in an enterprise environment the storage of the recovery key is vital.

The Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP) which is now part of Software Assurance. MBAM provides the complete management for BitLocker in an enterprise including its deployment, reporting on encryption state and storage/recovery of the recovery keys (including end-user self-service through a browser based portal).

Windows 8 can store the recovery key in Active Directory through Group Policy configurations. I walk through this at

For Windows 10 Azure AD can also be used. When a Windows 10 machine is Azure AD joined and BitLocker used the recovery key is automatically stored in Azure AD. This enables an enterprise protection of the recovery key without MBAM.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.