How to Configure BitLocker Drive Encryption on Windows Server 2012 R2

BitLocker Drive Encryption provides volume-level encryption to protect data at rest on Windows Server 2012 R2. When a drive is protected with BitLocker, even if the physical disk is removed from the server and installed elsewhere, the data remains unreadable without the correct encryption key. For server environments, BitLocker is especially valuable on laptops, branch office servers, or any machine at risk of physical theft. This guide walks through installing BitLocker, configuring it with a TPM, managing recovery keys, and enabling BitLocker on data volumes.

Prerequisites

Before configuring BitLocker on Windows Server 2012 R2, ensure the following conditions are met. The server should have a Trusted Platform Module (TPM) version 1.2 or higher, although BitLocker can also operate without TPM using a USB startup key. The operating system drive must use NTFS and have at least two partitions: the system partition (unencrypted, used for startup) and the Windows volume to be encrypted. You need local Administrator or Domain Admin rights. Optionally, integrate with Active Directory to back up recovery keys automatically.

Installing the BitLocker Feature

BitLocker is available as a Windows feature on Server 2012 R2. Install it via Server Manager or PowerShell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

The -Restart flag will reboot the server automatically if required. After the reboot, verify the feature is installed:

Get-WindowsFeature BitLocker

You should see the feature listed as Installed.

Checking TPM Status

The TPM chip is the preferred key storage mechanism for BitLocker. Check whether the TPM is enabled and ready:

Get-Tpm

Key fields to verify:

TpmPresent     : True
TpmReady       : True
TpmEnabled     : True
TpmOwned       : True

If TPM is present but not owned, initialize it:

Initialize-Tpm -AllowClear -AllowPhysicalPresence

If the server has no TPM, you must configure Group Policy to allow BitLocker without a TPM. Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Enable “Require additional authentication at startup” and check “Allow BitLocker without a compatible TPM.”

Enabling BitLocker on the OS Drive

To encrypt the operating system drive (typically C:) using TPM with a PIN for additional security:

# Enable BitLocker on C: with TPM + PIN
$SecurePin = ConvertTo-SecureString "YourPIN1234!" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmAndPinProtector -Pin $SecurePin

For TPM-only (no PIN required at boot, suitable for servers that restart automatically):

Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmProtector

BitLocker will begin encrypting the drive. The server can continue operating during encryption. Monitor progress:

manage-bde -status C:

Look for Conversion Status: Encryption In Progress and the percentage complete.

Saving the Recovery Key

The recovery key is critical. If the TPM is cleared, the BIOS changes, or the PIN is forgotten, the recovery key is the only way to access the encrypted drive. Always save it to multiple locations. Save to a file:

$RecoveryKey = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | 
    Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}
$RecoveryKey.RecoveryPassword | Out-File -FilePath "\FileServerBitLockerKeysServer01-C-Recovery.txt"

Back up to Active Directory (recommended for domain-joined servers):

# Get the recovery key protector ID
$KeyProtectorId = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | 
    Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | 
    Select-Object -ExpandProperty KeyProtectorId

# Backup to AD DS
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $KeyProtectorId

To enable automatic AD backup via Group Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption and configure “Store BitLocker recovery information in Active Directory Domain Services.”

Enabling BitLocker on Data Volumes

Data volumes (non-OS drives) can be encrypted with an auto-unlock key that is tied to the encrypted OS drive, so they unlock automatically when the server starts:

# Enable BitLocker on D: with a recovery password
Enable-BitLocker -MountPoint "D:" -EncryptionMethod Aes256 -RecoveryPasswordProtector

# Enable auto-unlock for the data volume (requires OS drive to be BitLocker-protected)
Enable-BitLockerAutoUnlock -MountPoint "D:"

Verify auto-unlock is configured:

Get-BitLockerVolume -MountPoint "D:" | Select-Object AutoUnlockEnabled

Managing BitLocker with manage-bde

The command-line tool manage-bde provides additional management capabilities. Check status of all drives:

manage-bde -status

Add an additional recovery password protector:

manage-bde -protectors -add C: -RecoveryPassword

List all key protectors:

manage-bde -protectors -get C:

Pause and resume encryption (useful during maintenance windows):

manage-bde -pause C:
manage-bde -resume C:

Network Unlock for Server Environments

For servers in a datacenter that must reboot without physical interaction, BitLocker Network Unlock allows the server to unlock automatically when it boots on the corporate network. This requires a WDS server with the BitLocker Network Unlock feature. Install on the WDS server:

Install-WindowsFeature BitLocker-NetworkUnlock

Configure a certificate for Network Unlock via Group Policy: Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption Network Unlock Certificate. Import the WDS server certificate. When the encrypted server boots on the corporate network, DHCP provides the unlock key automatically.

Verification and Monitoring

After configuration, verify BitLocker status comprehensively:

Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, EncryptionPercentage, 
    LockStatus, EncryptionMethod, AutoUnlockEnabled | Format-Table -AutoSize

Expected output for a fully encrypted drive:

MountPoint VolumeStatus   EncryptionPercentage LockStatus EncryptionMethod
---------- ------------   -------------------- ---------- ----------------
C:         FullyEncrypted 100                  Unlocked   Aes256
D:         FullyEncrypted 100                  Unlocked   Aes256

Check event logs for BitLocker events:

Get-WinEvent -LogName "Microsoft-Windows-BitLocker/BitLocker Management" | 
    Select-Object TimeCreated, Id, Message | Format-List

Summary

BitLocker Drive Encryption on Windows Server 2012 R2 provides robust at-rest data protection through AES-256 encryption. The key steps are: installing the BitLocker feature, verifying TPM readiness, enabling encryption on the OS and data volumes, and securely storing recovery keys in Active Directory. For unattended server reboots, Network Unlock eliminates the need for manual PIN entry while maintaining security on the corporate network. Regular auditing of BitLocker status ensures drives remain protected and recovery keys stay current.