How to Configure BitLocker with TPM on Windows Server 2025

How to Configure BitLocker with TPM on Windows Server 2025

BitLocker Drive Encryption protects data at rest by encrypting entire volumes using the AES-XTS-256 cipher. When combined with a Trusted Platform Module (TPM 2.0), BitLocker creates a hardware-rooted chain of trust that prevents the operating system volume from being read on any machine other than the one on which it was encrypted. Windows Server 2025 ships with native BitLocker support and introduces simplified management through updated PowerShell cmdlets and tighter integration with Active Directory and Azure Active Directory for recovery key escrow. This guide walks through every step of a production-grade BitLocker deployment — from TPM verification through Group Policy enforcement across your server fleet.

Prerequisites

• Windows Server 2025 (Standard or Datacenter) with Desktop Experience or Server Core
• A physical server with TPM 2.0 chip enabled in UEFI firmware (virtual machines require a virtual TPM for Hyper-V or similar)
• UEFI Secure Boot enabled (strongly recommended — required for some BitLocker policy configurations)
• Local Administrator or Domain Administrator privileges
• BitLocker Drive Encryption feature installed (included by default on most Windows Server 2025 installations)
• Active Directory Domain Services (optional, for recovery key backup to AD DS)
• Group Policy Management Console for fleet deployment

Step 1: Verify TPM Presence and Status

Before enabling BitLocker, confirm that the server has a functioning TPM 2.0 chip. An absent, disabled, or version 1.2 TPM will prevent the TPM-based protector from working correctly.

# Check TPM status using PowerShell
Get-Tpm

# Key fields to review:
# TpmPresent       : True  — TPM chip detected
# TpmReady         : True  — TPM is initialized and ready for use
# TpmEnabled       : True  — TPM is enabled in firmware
# TpmActivated     : True  — TPM is activated
# TpmOwned         : True  — TPM ownership has been taken by Windows
# ManufacturerVersion should indicate 2.0 for TPM 2.0

# Get detailed TPM information including version
Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled, TpmActivated, TpmOwned, ManufacturerVersion

# Alternative: use WMI for additional details
Get-WmiObject -Namespace "RootCIMv2SecurityMicrosoftTpm" -Class Win32_Tpm |
    Select-Object IsActivated_InitialValue, IsEnabled_InitialValue, IsOwned_InitialValue, SpecVersion

If TpmPresent is False, the TPM is either absent from the hardware or disabled in the UEFI firmware. Access the server’s UEFI/BIOS settings to enable the TPM under the Security or Trusted Computing section. Servers may label this as Intel PTT, AMD fTPM, or simply Trusted Platform Module.

You can also open tpm.msc (TPM Management Console) on Server with Desktop Experience for a graphical view of TPM status and to clear or take ownership of the TPM if required.

Step 2: Install the BitLocker Feature

BitLocker is included with Windows Server 2025 but the feature and its management tools may not be installed by default depending on the installation type.

# Check if BitLocker is already installed
Get-WindowsFeature -Name BitLocker | Select-Object Name, InstallState

# Install BitLocker and the management tools
Install-WindowsFeature -Name BitLocker -IncludeManagementTools -IncludeAllSubFeature

# On Server Core, also install the BitLocker cmdlets explicitly
Install-WindowsFeature -Name BitLocker

# Verify installation completed successfully
Get-WindowsFeature -Name BitLocker | Select-Object Name, InstallState

# A restart is typically required after installing BitLocker
Restart-Computer -Confirm

Step 3: Enable BitLocker on the OS Drive with TPM Protector

Enabling BitLocker on the operating system volume (C:) uses the TPM to seal the encryption keys and verify system integrity at every boot. Windows Server 2025 defaults to XTS-AES 256-bit encryption, which is the strongest available cipher mode.

# Enable BitLocker on the OS drive using TPM protector only
# SkipHardwareTest skips the pre-encryption hardware check reboot (use with caution in production)
Enable-BitLocker -MountPoint "C:" `
    -EncryptionMethod XtsAes256 `
    -TpmProtector `
    -SkipHardwareTest

# Verify BitLocker is encrypting
Get-BitLockerVolume -MountPoint "C:" | Select-Object MountPoint, VolumeStatus, EncryptionPercentage, ProtectionStatus

# Monitor encryption progress (it runs in the background and can take time on large drives)
while ((Get-BitLockerVolume -MountPoint "C:").EncryptionPercentage -lt 100) {
    $vol = Get-BitLockerVolume -MountPoint "C:"
    Write-Host "Encrypting: $($vol.EncryptionPercentage)% complete — $($vol.VolumeStatus)"
    Start-Sleep -Seconds 30
}
Write-Host "Encryption complete."

Step 4: Add a TPM+PIN Protector for Enhanced Security

A TPM-only protector is convenient but relies solely on hardware attestation. Adding a PIN creates a two-factor boot requirement: something you have (the TPM/hardware) and something you know (the PIN). This is particularly important for servers in co-location facilities or edge deployments where physical access controls are weaker.

# Prompt for a PIN securely
$securePin = Read-Host -AsSecureString -Prompt "Enter BitLocker PIN (minimum 6 digits)"

# Enable BitLocker with TPM+PIN protector
Enable-BitLocker -MountPoint "C:" `
    -EncryptionMethod XtsAes256 `
    -TpmAndPinProtector `
    -Pin $securePin `
    -SkipHardwareTest

# If BitLocker is already enabled with TPM-only, ADD the PIN protector
Add-BitLockerKeyProtector -MountPoint "C:" `
    -TpmAndPinProtector `
    -Pin $securePin

# Verify protectors on the volume
(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Select-Object KeyProtectorType, KeyProtectorId

Note that enabling a PIN means the server cannot automatically restart after an unattended reboot (Windows Update, patch cycles) without someone entering the PIN at the console. For servers that must reboot unattended, use TPM-only or TPM+Network Unlock (see Microsoft’s BitLocker Network Unlock documentation for domain-joined servers).

Step 5: Store the Recovery Key in Active Directory

A recovery key is the 48-digit numeric password used to unlock a BitLocker volume when the TPM fails, the firmware changes, or the PIN is forgotten. Storing recovery keys in Active Directory Domain Services ensures they can be retrieved by an administrator from any domain controller without physical access to the server.

# First, retrieve the recovery key protector ID
$vol = Get-BitLockerVolume -MountPoint "C:"
$recoveryProtector = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }

if ($null -eq $recoveryProtector) {
    # Add a recovery password protector if one doesn't exist
    Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
    $vol = Get-BitLockerVolume -MountPoint "C:"
    $recoveryProtector = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }
}

# Back up the recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryProtector.KeyProtectorId

# Verify the backup was successful (requires AD DS access)
# In AD, find the computer object → BitLocker Recovery tab
# Or use the following to confirm via PowerShell with RSAT:
$computer = Get-ADComputer $env:COMPUTERNAME -Properties *
Write-Host "Recovery key backup initiated for: $($computer.Name)"

# Print the recovery key locally as a backup record (store securely)
Write-Host "Recovery Key ID : $($recoveryProtector.KeyProtectorId)"
Write-Host "Recovery Password: $($recoveryProtector.RecoveryPassword)"

Step 6: Encrypt Data Drives

For servers with separate data volumes, enable BitLocker on each non-OS drive as well. Data drives can use an auto-unlock mechanism tied to the OS drive, meaning they unlock automatically when the OS volume is decrypted at boot.

# Enable BitLocker on a data drive (D:) with auto-unlock
Enable-BitLocker -MountPoint "D:" `
    -EncryptionMethod XtsAes256 `
    -RecoveryPasswordProtector

# Enable auto-unlock so the data drive unlocks automatically when C: is decrypted
Enable-BitLockerAutoUnlock -MountPoint "D:"

# Back up the data drive's recovery key to AD as well
$dataVol = Get-BitLockerVolume -MountPoint "D:"
$dataRecovery = $dataVol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }
Backup-BitLockerKeyProtector -MountPoint "D:" -KeyProtectorId $dataRecovery.KeyProtectorId

# Verify all encrypted volumes
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, EncryptionPercentage, ProtectionStatus, AutoUnlockEnabled

Step 7: Change the BitLocker PIN

Regular PIN rotation is a security best practice, particularly after staff changes or suspected credential exposure. Use the following command to update the PIN without disabling BitLocker or re-encrypting the drive.

# Retrieve the TPM+PIN protector ID
$vol = Get-BitLockerVolume -MountPoint "C:"
$pinProtector = $vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "TpmPin" }

# Change the PIN
$newPin = Read-Host -AsSecureString -Prompt "Enter new BitLocker PIN"

Change-BitLockerKeyProtector -MountPoint "C:" `
    -KeyProtectorId $pinProtector.KeyProtectorId `
    -NewPin $newPin

Write-Host "BitLocker PIN updated successfully."

Step 8: Monitor BitLocker Status Across Your Server Fleet

Managing BitLocker manually server-by-server does not scale. Use PowerShell remoting to audit encryption status across multiple servers simultaneously.

# Define your server list
$servers = @("SRV-DC01", "SRV-FILE01", "SRV-SQL01", "SRV-WEB01", "SRV-BACKUP01")

# Query BitLocker status on all servers in parallel
$results = $servers | ForEach-Object -Parallel {
    $srv = $_
    try {
        $session = New-PSSession -ComputerName $srv -ErrorAction Stop
        $volumes = Invoke-Command -Session $session -ScriptBlock {
            Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus,
                EncryptionPercentage, ProtectionStatus,
                @{N="EncryptionMethod"; E={$_.EncryptionMethod}}
        }
        Remove-PSSession $session
        [PSCustomObject]@{
            Server  = $srv
            Volumes = $volumes
            Status  = "OK"
        }
    } catch {
        [PSCustomObject]@{
            Server  = $srv
            Volumes = $null
            Status  = "UNREACHABLE: $_"
        }
    }
} -ThrottleLimit 10

# Display results
$results | ForEach-Object {
    Write-Host "`n=== $($_.Server) ===" -ForegroundColor Cyan
    if ($_.Volumes) {
        $_.Volumes | Format-Table MountPoint, VolumeStatus, EncryptionPercentage, ProtectionStatus
    } else {
        Write-Warning $_.Status
    }
}

Step 9: Deploy BitLocker Settings via Group Policy

For consistent enforcement across all domain-joined servers, configure BitLocker through Group Policy. The relevant policy node is at Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption.

# Key GPO settings for BitLocker (configure via GPMC UI or PowerShell):

# Require TPM 2.0 — Computer Config → BitLocker → Operating System Drives
# Policy: "Require additional authentication at startup"
# → Require TPM: Enabled
# → Allow BitLocker without a compatible TPM: Disabled

# Require XTS-AES 256-bit encryption
# Policy: "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)"
# → OS drives: XTS-AES 256
# → Fixed data drives: XTS-AES 256
# → Removable data drives: AES-CBC 256

# Enforce recovery key backup to AD DS before enabling BitLocker
# Policy: "Store BitLocker recovery information in Active Directory Domain Services"
# → Do not enable BitLocker until recovery information is stored in AD DS: Enabled

# Encrypt used space only (faster initial encryption on new servers)
# Policy: "Enforce drive encryption type on operating system drives"
# → Select encryption type: Used Space Only

# Validate GPO application on a server
gpresult /Scope Computer /R | Select-String "BitLocker"

Conclusion

Configuring BitLocker with TPM on Windows Server 2025 is a foundational data protection control that safeguards against physical theft, unauthorized disk removal, and offline data extraction attacks. By binding encryption keys to the TPM hardware, enforcing strong XTS-AES-256 cipher mode, backing recovery keys to Active Directory, and deploying configuration consistently through Group Policy, you ensure that encrypted volumes cannot be accessed outside of their intended hardware environment. For high-security deployments, combine the TPM protector with a PIN to enforce two-factor authentication at boot, and use PowerShell remoting scripts to continuously monitor BitLocker status across your entire server fleet — giving you the assurance that encryption coverage remains complete as servers are provisioned, decommissioned, and rebuilt over time.