- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
BitLocker Drive Encryption gets a lot of attention when it comes to end-user devices such as tablets, laptops, and desktop computers. However, it doesn’t get as much attention when it comes to protecting data on Windows Servers. Do you have a strategy in place to protect the data stored on your servers using disk encryption?
Most of us tend to have server racks, which makes unauthorized physical access for things such as removing or stealing servers a much harder proposition than with smaller user-type devices. But, since most rack mount servers have hot-swappable hard drives, it becomes very easy for someone with malicious intent to pull hard drives that could contain sensitive data.
Protecting server data can also be problematic if you have to deal with shared rooms/closets where telco equipment or even office supplies may be stored, especially if those are remote/satellite offices without a full-time IT person on staff or where multiple people have access to the room. In these situations, you can use BitLocker to protect your company’s data.
Requirements
As with client systems, BitLocker requires a Trusted Platform Module (TPM) version 1.2 or later. TPM version 2.0 adds some additional features, such as Connected Standby, but most servers aren’t going to use that feature. Without the TPM, a USB startup key or startup password is necessary for the server at every boot.
For this tutorial, the server also needs to be domain-joined because we need a way to back up the BitLocker recovery keys if the server runs into trouble and needs those keys.
For encrypting boot volumes, you’ll have to use physical hardware. BitLocker Drive Encryption is not supported for booting VHD/VHDX files, but it is supported for data drives. The same is true if you’re using VMware.
Installing BitLocker
BitLocker Drive Encryption is not installed by default on Windows Server. To install it, we’ll need to either use the GUI or run a PowerShell command.
Using the GUI
In the Server Manager, click Add roles and features. Click Next on the Before You Begin screen and Next again on the installation type, leaving Role-based or feature-based installation as the default. Select your server and click Next again. Skip Server Roles by clicking Next.
On the Features window, click the BitLocker Drive Encryption check box.
Install BitLocker Drive Encryption in Add Roles and Features Wizard
When prompted, select the Include management tools (if applicable) check box and click Add Features.
Include management tools for BitLocker Drive Encryption
Click Next when you’re taken back to the Select Features window. The install process will require a reboot; select Restart the destination server automatically if required and click Install. Accept the reboot warning by clicking Yes, and then click Install one last time.
Using PowerShell
To install BitLocker Drive Encryption using PowerShell, open a PowerShell window with Administrator rights and run the following command:
Install-WindowsFeature BitLocker –IncludeAllSubFeature -IncludeManagementTools -Restart
Unspecified error
If you try to use the BitLocker GUI tools by going to Control Panel > BitLocker Drive Encryption or by going to the Start screen and searching for the BitLocker tools by typing “BitLocker,” you may receive some variation of the error C:\Users\%username%\AppD…\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms – Unspecified error.
Unspecified Error when using BitLocker GUI tools
Michael encountered this error in a VirtualBox VM, and I was able to confirm it on a Hyper-V VM. Both of us think this is most likely just a bug because you can resolve it by rebooting after the initial reboot that is needed to install BitLocker on Windows Server 2012 R2.
Configuring backup of BitLocker recovery information
Escrowing your BitLocker recovery information is an incredibly important step in encrypting your servers. Should something happen to a server that requires this information, not having it means you’ll have to recover the system from a backup. If the machine is in Active Directory, we can configure a few settings in Group Policy to ensure that the recovery information is saved.
In a Group Policy Object (GPO) that is linked to the Organizational Unit (OU) where your servers are located, right-click the GPO and choose Edit. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how BitLocker-protected operating system drives can be recovered and set it to Enabled.
Choose how BitLocker-protected operating system drives can be recovered
In addition to the default settings, select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box. I also like to select Omit recovery options from the BitLocker setup wizard.
Next, we’ll need to do the same thing for fixed/data drives. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives > Choose how BitLocker-protected fixed drives can be recovered and set it to Enabled.
Choose how BitLocker-protected fixed drives can be recovered
Like you did for the operating system drives, select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box. I also like to select Omit recovery options from the BitLocker setup wizard for fixed/data drives.
Enabling BitLocker
The last step in setting up BitLocker on our server is encrypting the drive. As with installing BitLocker, we can accomplish this with either the GUI or PowerShell.
Enable BitLocker with the GUI on the operating system drive
To encrypt the operating system drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Operating System Drive section.
Turn on BitLocker using the GUI for the operating system drive
Next, you’ll need to select whether you want to Encrypt used disk space only or Encrypt entire drive. If you’re working with a brand-new server, used disk space will encrypt the drive must faster. If you’re working with a server that has been in use, the entire drive option is the preferred option so that all space (including free space) is encrypted. Click Next after you’ve made your selection.
Choose how much of your drive to encrypt: used space or entire drive
On the last screen, you can choose to run a hardware system check by selecting the Run BitLocker system check check box. If you select this box, you’ll have to reboot. Click Start encrypting to start the encryption process.
Start encrypting after choosing to “Run BitLocker system check”
Enable BitLocker with PowerShell on the operating system drive
To enable BitLocker on the operating system drive, run the following PowerShell command:
Enable-BitLocker -MountPoint "C:" -UsedSpaceOnly -RecoveryPasswordProtector
Enabling BitLocker with the Enable-BitLocker cmdlet on an operating system drive
If you’re working with an existing server that’s been in use, you can omit -UsedSpaceOnly so that all drive space on C:\ is encrypted in case any old data is lingering on now-unused portions of the disk. You can also add -SkipHardwareTest to remove the required reboot for a hardware check.
Enable BitLocker with the GUI on a fixed data drive
To encrypt a fixed data drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Fixed Data Drives section.
Turn on BitLocker using the GUI for fixed data drives
Next, you’ll be asked how to unlock the fixed data drive. Because this is a server, and we don’t want to have to log in every time it reboots to enter a password to unlock the data drive, select Automatically unlock this drive on this computer and then click Next.
Automatically unlock this drive on this computer
Next, you’ll need to select whether you want to Encrypt used disk space only or Encrypt entire drive. If you’re working with a brand-new server, used disk space will encrypt the drive must faster. If you’re working with a server that has been in use, the entire drive option is the preferred option so that all space (including free space) is encrypted. Click Next after you’ve made your selection.
Choose how much of your drive to encrypt: used space or entire drive
On the last screen, click Start encrypting to start the encryption process.
Start encrypting
Enable BitLocker with PowerShell on a fixed data drive
To enable BitLocker on a fixed data drive, run the following PowerShell command:
Enable-BitLocker -MountPoint "D:" -UsedSpaceOnly –RecoveryPasswordProtector Enable-BitlockerAutoUnlock –Mount "D:"
Enabling BitLocker with the Enable-BitLocker cmdlet on a fixed data drive
The first PowerShell line is pretty much the same as encrypting an operating system drive. If you’re using a brand-new server or a data drive that has no data, you can speed up the encryption process by omitting -UsedSpaceOnly. The second line allows the drive to be automatically unlocked when the server reboots.
View BitLocker recovery passwords
If you need to view the BitLocker recovery passwords, you’ll need to install the BitLocker Recovery Password Viewer to use in Active Directory Users and Computers (ADUC). If you’re using a system that you’ve just encrypted using these instructions, the viewer is already installed. You can also use the following PowerShell command:
Install-WindowsFeature RSAT-Feature-Tools-BitLocker
In ADUC, you can double-click any BitLocker-encrypted system that has recovery data backed up in AD DS and go to the BitLocker Recovery tab to view the recovery passwords.
BitLocker recovery passwords in Computer Properties
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Great write-up. I’m always wary of encrypting servers in case there is a DR situation. Will need to do some testing on this.
I completely agree! It’s one thing for someone’s laptop to randomly ask for a Recovery Key, but a server… ouch. In a perfect world, you’re running all your workloads in Hyper-V and a non-booting server isn’t as big of a deal than say a SQL server or Exchange not coming back up. In a perfect world, your infrastructure would have enough redundancy to handle the outage of a server that won’t boot because of a BitLocker issue. As for backups, as long as the vendor supports protection of BitLocker-encrypted volumes (most should), you should be good to go.
We have mixture of computers within the domain with and without BitLocker enabled. These computers are sitting in the same OU.
We are looking at pushing out a startup script gpo to disable startup repair on all computers.
In order for BitLocker enabled computers to stop having to use the recovery key at each reboot, we included the two cmdlets within the startup script to disable and enable BitLocker.
bcdedit / set … … …
… … …
manage-bde -protector -diasable
manage-bde -protector -enable
We tested it. by running the above cmdlets, computers with BitLocker no longer asking BitLocker recovery key upon restart.
However, what impact / changes these cmdlets would bring to the computers that WITHOUT bitLocker enable? Does the cmdlets make registry key changes / etc?
What could happen for those computers that do not have BitLocker enable when run the manage-bde xxx cmdlets?
Thank you for sharing. great post.
I’m a little confused as to why you would need to disable startup repair. Are your computers running startup repair every time they reboot? If so, you’ve got bigger issues because that isn’t normal behavior.
Before you run a command in a script to make changes to BitLocker, you should be checking to see if BitLocker is enabled first. You’re asking for trouble running commands against a system without first verifying that what you’re trying to modify is/isn’t on the box.
We need to disables Startup Repair from appearing due to shutdown failures (which includes intentionally yanking the power cord) / by pressing F8 key because of security reason. we have get the bcdedit /set cmdlets tested and working.
We then come to realised that computers with BitLocker enabled asking BitLocker recovery key upon restart. Thus, we included these two cmdlets:
manage-bde -protector -diasable
manage-bde -protector -enable
However, these computers (with and without BitLocker are sitting on the same OU).
Are you saying that by running the -disable / -enabled on computer without BitLocker, there may be unknown risks?
Tyring to find out more info on, as I thought by running -disable / -enabled on computer without BitLocker, that computer will ignore this cmdlets (do nothing).
Unlike if I ran -off / -on then BitLocker will be turn ON.
thank you for your help.
I still think you’ve got some other issue if you’re having so many computers run startup repair that you want to disable it. I used to support an army of systems that were all BitLocker encrypted and I can’t recall ever having one go into startup repair.
I’m saying that (1) you should test it because I haven’t and (2) you shouldn’t blindly run any command against a system without doing a sanity check to see if it is necessary. I would never run a command like that without checking to see if BitLocker was enabled first and then skip the command if BitLocker wasn’t enabled.
Thanks for the ideas.
Wrote a script to run the manage-bde cmdlets if a computer has BitLocker has Protection set to Onl otherwise ignore.
manage-bde -status c: | find /I “Protection Status: Protection On”>Nul && (
manage-bde -protectors -disable c:
manage-bde -protectors -enable c:
) || (
Echo No bitlocker
)
) || (
Echo No action required
)
We are trying to follow your post and turn on bitlocker on several Windows 2012 R2 servers.
The problem is when we try to turn on bitlocker we do not have all the option in GUI, for example turning on Bitlocker on Drive D, there is no option:”Automatically unlock this drive on this computer” or for drive c it requires us to save password as an option to file or USB.
What we are seeing is that the screen shots you posted for Windows 2012 R2, are not available to use when we try to turn on Bitlocker on drives. We have looked enough everywhere so far no resolution to this.
We are wondering if you have seen this and can tell us what we are doing wrong. Dell server with TPM turned on.
Thank you.
Sounds as if Windows doesn’t recognize the TPM. Could be a driver issue. Can you see the TPM in device manager (under security devices)?
Hello:
Yes I can see TPM under security devices with version 1.2
Has anybody seen this problem?
Very nice post about BitLocker, see this video for complete configuration.
https://youtu.be/c3Ljd8Y4S-Q