| Event ID | Source | Meaning | Action | | :--- | :--- | :--- | :--- | | 506 | BitLocker-Driver | Recovery key was used to unlock the volume | CRITICAL ALERT | | 507 | BitLocker-Driver | Recovery key was saved/viewed | HIGH ALERT | | 652 | BitLocker-API | TPM was cleared/reset | MEDIUM ALERT | | 761 | Microsoft-Windows-Deployment | BitLocker recovery entered during OOBE | INFO (tracking) | | 513 | BitLocker-Driver | Protection suspended | MEDIUM ALERT | For keys stored in AD, enable auditing on the msTPM-OwnerInformation attribute. Use PowerShell to monitor:
An update breaks Secure Boot. The TPM refuses to unseal. The helpdesk, under pressure to get the user working, uses the recovery key to boot. Without an alarm, the IT team never diagnoses the root cause. With an alarm, they see 10 devices all entering recovery after the same patch Tuesday. They can roll back the update instead of fighting fires all month. Part 4: Implementing the Alarm – Technical Blueprint Event Logs to Monitor (Windows) Configure your SIEM or log aggregator to watch for these specific Event IDs on endpoints and domain controllers: tpm encryption recovery key backup alarm
A disgruntled employee with administrative rights can retrieve the recovery key for any system in Active Directory. Without an alarm, this goes unnoticed. With an alarm (via Windows Event ID 506 or 507), security ops gets an alert: “User J.Doe accessed BitLocker recovery key for Finance-Server-02.” That is a red flag for potential data exfiltration. | Event ID | Source | Meaning |
The firm had no alarm. They didn’t know the TPM was failing until the user landed. Data was lost for 48 hours while a technician re-imaged the device. The helpdesk, under pressure to get the user
Get-ADObject -Filter ObjectClass -eq 'msTPM-OwnerInformation' -Properties * | Select-Object Created, Modified, ObjectGUID Combine this with Active Directory audit logs for “Read” operations on confidential attributes. Microsoft Endpoint Manager (Intune) can generate alerts for BitLocker recovery key access. In the Microsoft 365 Defender portal, go to Audit > BitLocker key access . Set up automated response rules: e.g., when a key is accessed from an unfamiliar IP, isolate the device and alert the security team. Part 5: The Human Factor – Alarm Fatigue vs. Real Risk One danger of implementing alarms is noise. If every legitimate helpdesk interaction triggers a “recovery key accessed” alert, your SOC will start ignoring them.