How to Configure BitLocker Drive Encryption on Windows Server 2025

How to Configure BitLocker Drive Encryption on Windows Server 2025

BitLocker Drive Encryption is one of the most important security features available on Windows Server 2025, providing volume-level encryption that protects data at rest from unauthorized access — including physical theft of drives or servers. Unlike desktop BitLocker deployments, server environments require careful planning around Trusted Platform Module (TPM) availability, recovery key storage in Active Directory, and the operational impact of encryption on running workloads. This guide walks you through the complete process of enabling, managing, and optionally removing BitLocker on Windows Server 2025, covering TPM verification, recovery key backup, network unlock for domain-joined servers, Group Policy enforcement, and performance-conscious encryption options.

Prerequisites

• Windows Server 2025 (Standard or Datacenter edition)
• TPM 2.0 chip present and enabled in UEFI firmware
• UEFI boot mode (not legacy BIOS) for OS drive encryption with TPM
• BitLocker Drive Encryption feature installed (included by default)
• Domain Admin or local Administrator privileges
• Active Directory (optional, but recommended for recovery key escrow)
• Sufficient disk space — used space encryption requires less time than full disk

Step 1: Verify TPM Status with PowerShell

Before enabling BitLocker, confirm that a TPM chip is present, enabled, and ready. Windows Server 2025 requires TPM 2.0 for optimal BitLocker functionality. Use the Get-Tpm cmdlet to retrieve detailed TPM status information.

# Check TPM presence and status
Get-Tpm

# Example output fields to verify:
# TpmPresent       : True
# TpmReady         : True
# TpmEnabled       : True
# TpmActivated     : True
# TpmOwned         : True
# ManagedAuthLevel : Full

# Get detailed TPM information including version
Get-Tpm | Select-Object *

# If TPM is not ready, initialize it
Initialize-Tpm -AllowClear -AllowPhysicalPresence

If TpmReady returns False, enter the server’s UEFI firmware settings and ensure the TPM is enabled. After enabling it in firmware, use Initialize-Tpm to prepare it for use by Windows.

Step 2: Enable BitLocker on the OS Drive

Enabling BitLocker on the operating system volume (typically C:) requires both a TPM protector and a recovery password protector. The TPM protector handles automatic unlock on boot; the recovery password is used as a fallback when TPM validation fails, such as after firmware updates or hardware changes.

# Enable BitLocker on C: with TPM + Recovery Password protectors
Enable-BitLocker -MountPoint "C:" `
    -RecoveryPasswordProtector `
    -TpmProtector `
    -UsedSpaceOnly `
    -Verbose

# Verify that encryption has started
Get-BitLockerVolume -MountPoint "C:"

# Monitor encryption progress (re-run until EncryptionPercentage = 100)
while ((Get-BitLockerVolume -MountPoint "C:").EncryptionPercentage -lt 100) {
    $vol = Get-BitLockerVolume -MountPoint "C:"
    Write-Host "Encrypting... $($vol.EncryptionPercentage)% complete"
    Start-Sleep -Seconds 10
}
Write-Host "Encryption complete."

The -UsedSpaceOnly switch instructs BitLocker to encrypt only the space currently occupied by data rather than the entire volume, significantly reducing the time required for initial encryption on large drives. This is the recommended option for new server deployments.

Step 3: Encrypt Additional Data Volumes

Data volumes do not require a TPM protector. Instead, you can use an auto-unlock protector that ties the volume to the encrypted OS drive, so data volumes unlock automatically when the server boots.

# Enable BitLocker on a data volume with auto-unlock
Enable-BitLocker -MountPoint "D:" `
    -RecoveryPasswordProtector `
    -UsedSpaceOnly

# Enable auto-unlock so D: unlocks when C: is unlocked
Enable-BitLockerAutoUnlock -MountPoint "D:"

# Verify auto-unlock is configured
Get-BitLockerVolume -MountPoint "D:" | Select-Object MountPoint, AutoUnlockEnabled, VolumeStatus

Step 4: Back Up Recovery Keys to Active Directory and File

Recovery key backup is critical in enterprise environments. If the TPM state changes (firmware update, hardware replacement, motherboard swap), the recovery password is the only way to regain access to encrypted volumes. Windows Server 2025 supports backing up recovery keys directly to Active Directory Domain Services (AD DS).

# Get the Key Protector ID for the recovery password
$vol = Get-BitLockerVolume -MountPoint "C:"
$recoveryKeyId = ($vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

Write-Host "Recovery Key Protector ID: $recoveryKeyId"

# Back up recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryKeyId

# Also save recovery key to a file (store securely off-server)
$recoveryPassword = ($vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).RecoveryPassword
$recoveryPassword | Out-File -FilePath "\fileserverBitLockerKeys$env:COMPUTERNAME-C-RecoveryKey.txt" -Force

# Verify AD backup succeeded (requires RSAT AD module)
Import-Module ActiveDirectory
$computer = Get-ADComputer -Identity $env:COMPUTERNAME -Properties *
# Recovery keys appear under msFVE-RecoveryInformation child objects
Get-ADObject -Filter { objectClass -eq "msFVE-RecoveryInformation" } `
    -SearchBase $computer.DistinguishedName `
    -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPassword

Step 5: Check BitLocker Volume Status

Use Get-BitLockerVolume to audit all volumes on a server for their encryption state, protection status, and configured key protectors.

# Get BitLocker status for all volumes
Get-BitLockerVolume

# Detailed view of a specific volume
Get-BitLockerVolume -MountPoint "C:" | Format-List *

# Check protection status on all volumes (useful for compliance auditing)
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionPercentage, EncryptionMethod

# VolumeStatus values:
# FullyEncrypted     - encryption complete
# EncryptionInProgress - encryption running
# FullyDecrypted     - no encryption
# ProtectionOn / ProtectionOff - whether protectors are active

Step 6: Configure BitLocker Network Unlock

Network Unlock allows domain-joined Windows Server 2025 machines to automatically unlock their BitLocker-encrypted OS drive during a network boot without requiring manual PIN entry. This is essential for remote servers where physical access is not practical for every reboot.

# Network Unlock requires a WDS server with the BitLocker Network Unlock feature
# On the WDS/Network Unlock server:
Add-WindowsFeature BitLocker-NetworkUnlock

# Generate a Network Unlock certificate (on a CA or self-signed for testing)
# The certificate must be deployed via GPO to clients

# On the client server, add a Network Unlock key protector
# (certificate thumbprint from the Network Unlock certificate)
$cert = Get-ChildItem Cert:LocalMachineMy | Where-Object { $_.Subject -like "*BitLockerNetworkUnlock*" }
Add-BitLockerKeyProtector -MountPoint "C:" -ADAccountOrGroupProtector -ADAccountOrGroup "DOMAINBitLockerNetworkUnlock"

# Verify Network Unlock protector is present
Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty KeyProtector

Step 7: Enforce BitLocker via Group Policy

In domain environments, Group Policy Objects (GPOs) provide the authoritative method for enforcing consistent BitLocker configuration across all servers. Key policy paths in the Group Policy Management Console are under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

# Key GPO settings to configure (via GPMC or registry):

# Require BitLocker backup to AD before enabling (prevents lockout)
# Path: BitLocker Drive Encryption > Operating System Drives
# Policy: "Do not enable BitLocker until recovery information is stored to AD DS"

# Enforce TPM + PIN or TPM-only startup
# Policy: "Require additional authentication at startup"

# Set encryption algorithm (AES-256 recommended for servers)
# Policy: "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)"

# Apply GPO settings via PowerShell registry (for scripted deployment)
$regPath = "HKLM:SOFTWAREPoliciesMicrosoftFVE"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force }

# Enforce AES-256 XTS encryption
Set-ItemProperty -Path $regPath -Name "EncryptionMethodWithXtsFdv" -Value 7 -Type DWord
Set-ItemProperty -Path $regPath -Name "EncryptionMethodWithXtsOs" -Value 7 -Type DWord

# Require recovery to AD before enabling
Set-ItemProperty -Path $regPath -Name "OSActiveDirectoryBackup" -Value 1 -Type DWord
Set-ItemProperty -Path $regPath -Name "OSRequireActiveDirectoryBackup" -Value 1 -Type DWord

Step 8: Disable BitLocker When Needed

BitLocker can be suspended temporarily (for firmware updates or hardware maintenance) or fully decrypted. Suspension keeps data encrypted but disables the protectors so the volume unlocks without TPM validation.

# Suspend BitLocker (for firmware updates — re-enables automatically on next boot)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1

# Check suspended status
Get-BitLockerVolume -MountPoint "C:" | Select-Object ProtectionStatus
# ProtectionStatus: Off = suspended, On = active

# Resume BitLocker protection manually
Resume-BitLocker -MountPoint "C:"

# Fully decrypt a volume (time-consuming on large drives)
Disable-BitLocker -MountPoint "C:"

# Monitor decryption progress
while ((Get-BitLockerVolume -MountPoint "C:").VolumeStatus -ne "FullyDecrypted") {
    $vol = Get-BitLockerVolume -MountPoint "C:"
    Write-Host "Decrypting... $($vol.EncryptionPercentage)% encrypted remaining"
    Start-Sleep -Seconds 10
}
Write-Host "Volume fully decrypted."

# Decrypt all volumes at once
Get-BitLockerVolume | Disable-BitLocker

Conclusion

BitLocker Drive Encryption on Windows Server 2025 provides robust, hardware-backed protection for data at rest with minimal performance impact when used with the used-disk-space-only option and AES-256-XTS encryption. By combining TPM-based automatic unlock with Active Directory recovery key escrow, Network Unlock for remote servers, and GPO enforcement across your server fleet, you can achieve comprehensive drive encryption coverage that satisfies most compliance frameworks including HIPAA, PCI-DSS, and ISO 27001. Always verify recovery key backup before enabling BitLocker on production systems, and use Suspend-BitLocker rather than disabling encryption before planned firmware or hardware maintenance to avoid unnecessary decryption cycles.