BitLocker isn’t just a feature for Windows desktop, laptop, and tablet computers. It’s also available for Windows Server as an installable feature. It is a great way to protect servers if you deal with remote locations or hard-to-secure server closets, or if you just want to protect the drives of racked servers. In this article, I’ll cover installing BitLocker and configuring it on Windows Server 2012 R2.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

BitLocker Drive Encryption gets a lot of attention when it comes to end-user devices such as tablets, laptops, and desktop computers. However, it doesn’t get as much attention when it comes to protecting data on Windows Servers. Do you have a strategy in place to protect the data stored on your servers using disk encryption?

Most of us tend to have server racks, which makes unauthorized physical access for things such as removing or stealing servers a much harder proposition than with smaller user-type devices. But, since most rack mount servers have hot-swappable hard drives, it becomes very easy for someone with malicious intent to pull hard drives that could contain sensitive data.

Protecting server data can also be problematic if you have to deal with shared rooms/closets where telco equipment or even office supplies may be stored, especially if those are remote/satellite offices without a full-time IT person on staff or where multiple people have access to the room. In these situations, you can use BitLocker to protect your company’s data.

Requirements ^

As with client systems, BitLocker requires a Trusted Platform Module (TPM) version 1.2 or later. TPM version 2.0 adds some additional features, such as Connected Standby, but most servers aren’t going to use that feature. Without the TPM, a USB startup key or startup password is necessary for the server at every boot.

For this tutorial, the server also needs to be domain-joined because we need a way to back up the BitLocker recovery keys if the server runs into trouble and needs those keys.

For encrypting boot volumes, you’ll have to use physical hardware. BitLocker Drive Encryption is not supported for booting VHD/VHDX files, but it is supported for data drives. The same is true if you’re using VMware.

Installing BitLocker ^

BitLocker Drive Encryption is not installed by default on Windows Server. To install it, we’ll need to either use the GUI or run a PowerShell command.

Using the GUI

In the Server Manager, click Add roles and features. Click Next on the Before You Begin screen and Next again on the installation type, leaving Role-based or feature-based installation as the default. Select your server and click Next again. Skip Server Roles by clicking Next.

On the Features window, click the BitLocker Drive Encryption check box.

Install BitLocker Drive Encryption in Add Roles and Features Wizard

Install BitLocker Drive Encryption in Add Roles and Features Wizard

When prompted, select the Include management tools (if applicable) check box and click Add Features.

Include management tools for BitLocker Drive Encryption

Include management tools for BitLocker Drive Encryption

Click Next when you’re taken back to the Select Features window. The install process will require a reboot; select Restart the destination server automatically if required and click Install. Accept the reboot warning by clicking Yes, and then click Install one last time.

Using PowerShell

To install BitLocker Drive Encryption using PowerShell, open a PowerShell window with Administrator rights and run the following command:

Unspecified error

If you try to use the BitLocker GUI tools by going to Control Panel > BitLocker Drive Encryption or by going to the Start screen and searching for the BitLocker tools by typing “BitLocker,” you may receive some variation of the error C:\Users\%username%\AppD…\Classic_{886EDAFC-1051-483F-8AE2-904087A7E580}.settingcontent-ms – Unspecified error.

Unspecified Error when using BitLocker GUI tools

Unspecified Error when using BitLocker GUI tools

Michael encountered this error in a VirtualBox VM, and I was able to confirm it on a Hyper-V VM. Both of us think this is most likely just a bug because you can resolve it by rebooting after the initial reboot that is needed to install BitLocker on Windows Server 2012 R2.

Configuring backup of BitLocker recovery information ^

Escrowing your BitLocker recovery information is an incredibly important step in encrypting your servers. Should something happen to a server that requires this information, not having it means you’ll have to recover the system from a backup. If the machine is in Active Directory, we can configure a few settings in Group Policy to ensure that the recovery information is saved.

In a Group Policy Object (GPO) that is linked to the Organizational Unit (OU) where your servers are located, right-click the GPO and choose Edit. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how BitLocker-protected operating system drives can be recovered and set it to Enabled.

Choose how BitLocker-protected operating system drives can be recovered
Choose how BitLocker-protected operating system drives can be recovered

In addition to the default settings, select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box. I also like to select Omit recovery options from the BitLocker setup wizard.

Next, we’ll need to do the same thing for fixed/data drives. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives > Choose how BitLocker-protected fixed drives can be recovered and set it to Enabled.

Choose how BitLocker-protected fixed drives can be recovered
Choose how BitLocker-protected fixed drives can be recovered

Like you did for the operating system drives, select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box. I also like to select Omit recovery options from the BitLocker setup wizard for fixed/data drives.

Enabling BitLocker ^

The last step in setting up BitLocker on our server is encrypting the drive. As with installing BitLocker, we can accomplish this with either the GUI or PowerShell.

Enable BitLocker with the GUI on the operating system drive

To encrypt the operating system drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Operating System Drive section.

Turn on BitLocker using the GUI for the Operating system drive
Turn on BitLocker using the GUI for the operating system drive

Next, you’ll need to select whether you want to Encrypt used disk space only or Encrypt entire drive. If you’re working with a brand-new server, used disk space will encrypt the drive must faster. If you’re working with a server that has been in use, the entire drive option is the preferred option so that all space (including free space) is encrypted. Click Next after you’ve made your selection.

Choose how much of your drive to encrypt - Used space or entire drive - Operating system drive
Choose how much of your drive to encrypt: used space or entire drive

On the last screen, you can choose to run a hardware system check by selecting the Run BitLocker system check check box. If you select this box, you’ll have to reboot. Click Start encrypting to start the encryption process.

Start encrypting after choosing to Run BitLocker system check
Start encrypting after choosing to “Run BitLocker system check”

Enable BitLocker with PowerShell on the operating system drive

To enable BitLocker on the operating system drive, run the following PowerShell command:

Enabling BitLocker with the Enable-BitLocker cmdlet on an operating system drive

Enabling BitLocker with the Enable-BitLocker cmdlet on an operating system drive

If you’re working with an existing server that’s been in use, you can omit -UsedSpaceOnly so that all drive space on C:\ is encrypted in case any old data is lingering on now-unused portions of the disk. You can also add -SkipHardwareTest to remove the required reboot for a hardware check.

Enable BitLocker with the GUI on a fixed data drive

To encrypt a fixed data drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Fixed Data Drives section.

Turn on BitLocker using the GUI for fixed data drives
Turn on BitLocker using the GUI for fixed data drives

Next, you’ll be asked how to unlock the fixed data drive. Because this is a server, and we don’t want to have to log in every time it reboots to enter a password to unlock the data drive, select Automatically unlock this drive on this computer and then click Next.

Automatically unlock this drive on this computer
Automatically unlock this drive on this computer

Next, you’ll need to select whether you want to Encrypt used disk space only or Encrypt entire drive. If you’re working with a brand-new server, used disk space will encrypt the drive must faster. If you’re working with a server that has been in use, the entire drive option is the preferred option so that all space (including free space) is encrypted. Click Next after you’ve made your selection.

Choose how much of your drive to encrypt - used space or entire drive - fixed data drive
Choose how much of your drive to encrypt: used space or entire drive

On the last screen, click Start encrypting to start the encryption process.

Start encrypting

Start encrypting

Enable BitLocker with PowerShell on a fixed data drive

To enable BitLocker on a fixed data drive, run the following PowerShell command:

Enabling BitLocker with the Enable-BitLocker cmdlet on a fixed data drive
Enabling BitLocker with the Enable-BitLocker cmdlet on a fixed data drive

The first PowerShell line is pretty much the same as encrypting an operating system drive. If you’re using a brand-new server or a data drive that has no data, you can speed up the encryption process by omitting -UsedSpaceOnly. The second line allows the drive to be automatically unlocked when the server reboots.

View BitLocker recovery passwords ^

If you need to view the BitLocker recovery passwords, you’ll need to install the BitLocker Recovery Password Viewer to use in Active Directory Users and Computers (ADUC). If you’re using a system that you’ve just encrypted using these instructions, the viewer is already installed. You can also use the following PowerShell command:

In ADUC, you can double-click any BitLocker-encrypted system that has recovery data backed up in AD DS and go to the BitLocker Recovery tab to view the recovery passwords.

BitLocker Recovery Passwords in Computer Properties
BitLocker recovery passwords in Computer Properties

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

11 Comments
  1. Paul 3 years ago

    Great write-up. I'm always wary of encrypting servers in case there is a DR situation. Will need to do some testing on this.

    0

    • Author
      Kyle Beckman 2 years ago

      I completely agree! It's one thing for someone's laptop to randomly ask for a Recovery Key, but a server... ouch. In a perfect world, you're running all your workloads in Hyper-V and a non-booting server isn't as big of a deal than say a SQL server or Exchange not coming back up. In a perfect world, your infrastructure would have enough redundancy to handle the outage of a server that won't boot because of a BitLocker issue. As for backups, as long as the vendor supports protection of BitLocker-encrypted volumes (most should), you should be good to go.

      0

  2. Ming 2 years ago

    We have mixture of computers within the domain with and without BitLocker enabled. These computers are sitting in the same OU.

    We are looking at pushing out a startup script gpo to disable startup repair on all computers.

    In order for BitLocker enabled computers to stop having to use the recovery key at each reboot, we included the two cmdlets within the startup script to disable and enable BitLocker.
    bcdedit / set ... ... ...
    ... ... ...
    manage-bde -protector -diasable
    manage-bde -protector -enable
    We tested it. by running the above cmdlets, computers with BitLocker no longer asking BitLocker recovery key upon restart.

    However, what impact / changes these cmdlets would bring to the computers that WITHOUT bitLocker enable? Does the cmdlets make registry key changes / etc?

    What could happen for those computers that do not have BitLocker enable when run the manage-bde xxx cmdlets?

    Thank you for sharing. great post.

    0

    • Author
      Kyle Beckman 2 years ago

      I'm a little confused as to why you would need to disable startup repair. Are your computers running startup repair every time they reboot? If so, you've got bigger issues because that isn't normal behavior.

      Before you run a command in a script to make changes to BitLocker, you should be checking to see if BitLocker is enabled first. You're asking for trouble running commands against a system without first verifying that what you're trying to modify is/isn't on the box.

      0

  3. Ming 2 years ago

    We need to disables Startup Repair from appearing due to shutdown failures (which includes intentionally yanking the power cord) / by pressing F8 key because of security reason. we have get the bcdedit /set cmdlets tested and working.

    We then come to realised that computers with BitLocker enabled asking BitLocker recovery key upon restart. Thus, we included these two cmdlets:

    manage-bde -protector -diasable
    manage-bde -protector -enable

    However, these computers (with and without BitLocker are sitting on the same OU).

    Are you saying that by running the -disable / -enabled on computer without BitLocker, there may be unknown risks?

    Tyring to find out more info on, as I thought by running -disable / -enabled on computer without BitLocker, that computer will ignore this cmdlets (do nothing).

    Unlike if I ran -off / -on then BitLocker will be turn ON.

     

    thank you for your help.

     

    0

    • Author
      Kyle Beckman 2 years ago

      I still think you've got some other issue if you're having so many computers run startup repair that you want to disable it. I used to support an army of systems that were all BitLocker encrypted and I can't recall ever having one go into startup repair.

      I'm saying that (1) you should test it because I haven't and (2) you shouldn't blindly run any command against a system without doing a sanity check to see if it is necessary. I would never run a command like that without checking to see if BitLocker was enabled first and then skip the command if BitLocker wasn't enabled.

      0

  4. Ming 2 years ago

    Thanks for the ideas.

    Wrote a script to run the manage-bde cmdlets if a computer has BitLocker has Protection set to Onl otherwise ignore.

    manage-bde -status c: | find /I "Protection Status: Protection On">Nul && (
    manage-bde -protectors -disable c:
    manage-bde -protectors -enable c:
    ) || (
    Echo No bitlocker
    )
    ) || (
    Echo No action required
    )

    0

  5. FH 1 year ago

    We are trying to follow your post and turn on bitlocker on several Windows 2012 R2 servers.
    The problem is when we try to turn on bitlocker we do not have all the option in GUI, for example turning on Bitlocker on Drive D, there is no option:"Automatically unlock this drive on this computer" or for drive c it requires us to save password as an option to file or USB.
    What we are seeing is that the screen shots you posted for Windows 2012 R2, are not available to use when we try to turn on Bitlocker on drives. We have looked enough everywhere so far no resolution to this.
    We are wondering if you have seen this and can tell us what we are doing wrong. Dell server with TPM turned on.
    Thank you.

    0

    • Sounds as if Windows doesn't recognize the TPM. Could be a driver issue. Can you see the TPM in device manager (under security devices)?

      0

  6. FH 1 year ago

    Hello:

    Yes I can see TPM under security devices with version 1.2

    Has anybody seen this problem?

    0

  7. Muhammad Hassan 3 months ago

    Very nice post about BitLocker, see this video for complete configuration.

    https://youtu.be/c3Ljd8Y4S-Q

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account