Introduction to BitLocker Drive Encryption on Windows Server 2022

BitLocker Drive Encryption is a full-volume encryption feature built into Windows Server 2022 that protects data at rest by encrypting entire volumes. When a server is decommissioned, stolen, or its drives are removed, BitLocker prevents unauthorized access to the data. Unlike file-level encryption, BitLocker encrypts everything on the volume — the operating system, page file, hibernation file, temporary files, and user data — using AES-128 or AES-256 encryption with XTS mode (the default on Windows Server 2022).

BitLocker is particularly important for servers stored in co-location facilities, branch offices, remote locations, or any environment where physical security cannot be fully guaranteed. It also satisfies many compliance requirements including PCI-DSS, HIPAA, and GDPR for data protection at rest.

BitLocker Prerequisites

Before enabling BitLocker on Windows Server 2022, verify the following prerequisites are met. First, the BitLocker Drive Encryption feature must be installed. Second, the disk must use NTFS or ReFS formatting. Third, for OS drive encryption, the system firmware must support TPM 1.2 or higher (TPM 2.0 is strongly recommended). Fourth, the system partition (System Reserved or EFI partition) must be at least 250 MB and must not be encrypted.

Install the BitLocker feature and its administrative tools using PowerShell:

Install-WindowsFeature -Name BitLocker -IncludeManagementTools -IncludeAllSubFeature

After installation, a reboot is required before BitLocker can be configured.

Managing the TPM Chip

The Trusted Platform Module (TPM) is a hardware security chip used by BitLocker to store encryption keys and perform platform integrity checks during boot. The TPM measures the boot process and will release the encryption key only if the measurements match what was recorded when BitLocker was first enabled — this prevents boot-time tampering.

Check TPM status with PowerShell:

Get-Tpm

The output shows TpmPresent, TpmReady, TpmEnabled, TpmActivated, and TpmOwned properties. If TpmReady is False, you may need to initialize the TPM:

Initialize-Tpm

To clear the TPM (this erases all TPM-protected keys — use with caution):

Clear-Tpm

BitLocker Protector Types: TPM, Password, and USB Key

BitLocker supports multiple key protector types that control how the volume master key (VMK) is protected. You can combine multiple protectors for redundancy. The three primary protectors are TPM, password (PIN), and startup key (USB drive).

TPM only — The TPM automatically unseals the key at boot if platform measurements match. No user interaction required. Suitable for data center servers.

TPM + PIN — Requires a PIN at every boot in addition to TPM validation. More secure but requires console access at reboot.

TPM + Startup Key — Requires a USB drive containing the startup key at boot. Useful when TPM alone is insufficient.

Password — Used for data drives without TPM involvement. A password must be entered to unlock the volume.

Recovery Password — A 48-digit numerical key used for emergency recovery. Always configure this as a backup protector.

Encrypting the OS Drive

To encrypt the operating system drive (C:) using TPM with a recovery password protector, run the following PowerShell command:

Enable-BitLocker -MountPoint "C:" -TpmProtector -RecoveryPasswordProtector

To use TPM + PIN (where the PIN is a secure string):

$secPin = ConvertTo-SecureString "MySecurePIN123" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -TpmAndPinProtector -Pin $secPin -RecoveryPasswordProtector

The encryption begins immediately in the background. The system remains fully functional during encryption. You can monitor progress with:

Get-BitLockerVolume -MountPoint "C:"

Look at the EncryptionPercentage property in the output. The VolumeStatus will show EncryptionInProgress until complete.

Encrypting Data Drives

Data drives (non-OS volumes) can be encrypted with a password protector or using auto-unlock tied to the OS drive. To encrypt a data drive with a password:

$secPass = ConvertTo-SecureString "DataDrivePass!" -AsPlainText -Force
Enable-BitLocker -MountPoint "D:" -PasswordProtector -Password $secPass -RecoveryPasswordProtector

To configure auto-unlock so the data drive unlocks automatically when the encrypted OS drive is already unlocked:

Enable-BitLockerAutoUnlock -MountPoint "D:"

This stores an auto-unlock key in the OS drive’s metadata. As long as C: is unlocked, D: unlocks automatically at mount time.

Checking BitLocker Status with Get-BitLockerVolume

The Get-BitLockerVolume cmdlet returns detailed status information for all BitLocker-protected volumes or a specific mount point:

Get-BitLockerVolume

To inspect a specific drive and see its key protectors:

Get-BitLockerVolume -MountPoint "C:" | Select-Object *

Key properties in the output include: MountPoint, VolumeStatus (FullyEncrypted, EncryptionInProgress, FullyDecrypted), ProtectionStatus (On, Off), EncryptionMethod (XtsAes256), EncryptionPercentage, and KeyProtector (a list of all configured protectors with their IDs and types).

Suspending and Resuming BitLocker

Before applying firmware updates, BIOS changes, or non-Microsoft boot manager updates, suspend BitLocker temporarily. Suspension disables protectors so the boot measurement changes do not lock the drive:

Suspend-BitLocker -MountPoint "C:" -RebootCount 1

The -RebootCount 1 parameter means BitLocker will automatically re-enable protectors after one reboot. A value of 0 suspends indefinitely until manually resumed:

Resume-BitLocker -MountPoint "C:"

To disable BitLocker entirely and decrypt the volume (this takes time proportional to volume size):

Disable-BitLocker -MountPoint "C:"

Backing Up the Recovery Key

The recovery key is critical — without it, a locked BitLocker volume cannot be accessed if the normal unlock method fails. Back up the 48-digit recovery password immediately after enabling BitLocker. First, find the key protector ID:

$vol = Get-BitLockerVolume -MountPoint "C:"
$vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }

Back up to Active Directory (requires the BitLocker AD DS backup Group Policy to be enabled):

Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId "{PROTECTOR-ID-HERE}"

Export the recovery key to a text file (store this file securely off the server):

$kp = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }
$kp.RecoveryPassword | Out-File -FilePath "\fileserverbitlocker-keysserver01-C.txt"

BitLocker Network Unlock

BitLocker Network Unlock allows servers configured with TPM + PIN (or TPM + Startup Key) to boot automatically on the corporate network without requiring manual PIN entry. This is ideal for remote servers that need to reboot unattended but still require pre-boot authentication when booted off the network.

Network Unlock requires a WDS (Windows Deployment Services) server with the BitLocker Network Unlock provider role, a DHCP server, and UEFI firmware supporting PXE boot. The server must be configured with a Network Unlock certificate on both the WDS server and the client. When the server boots on the corporate network, it contacts the WDS server via DHCP, receives the encrypted network key, and unlocks automatically. If the server is booted off the corporate network, it falls back to requiring the PIN or startup key.

BitLocker on Server Core

On Windows Server 2022 Core (no GUI), BitLocker is managed entirely from the command line. Install the feature:

Install-WindowsFeature BitLocker

All PowerShell cmdlets (Enable-BitLocker, Get-BitLockerVolume, etc.) work identically on Server Core. Additionally, the manage-bde.exe command-line tool provides full BitLocker management.

Using manage-bde from the Command Line

The manage-bde.exe tool predates the PowerShell cmdlets and is available in all editions including WinPE environments for recovery scenarios. Common operations:

Check status of all drives:

manage-bde -status

Enable BitLocker on C: with TPM and recovery password:

manage-bde -on C: -rp -tp

Add a recovery password protector to an existing encrypted drive:

manage-bde -protectors -add C: -rp

List all protectors and their IDs:

manage-bde -protectors -get C:

Unlock a drive using a recovery password:

manage-bde -unlock D: -rp 123456-123456-123456-123456-123456-123456-123456-123456

Suspend BitLocker protection:

manage-bde -protectors -disable C: -rc 1

The manage-bde tool is especially valuable in recovery environments (WinPE, recovery console) where PowerShell modules may not be available, making it an essential tool for any administrator who manages BitLocker-protected servers.

Choosing the Right Encryption Method

Windows Server 2022 defaults to XTS-AES-128 for fixed drives and AES-CBC-128 for removable drives. For higher security requirements, configure XTS-AES-256 via Group Policy (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Choose drive encryption method and cipher strength). XTS mode provides better protection against manipulation attacks compared to CBC mode and should be used for all fixed drives in sensitive environments. Once a drive is encrypted, changing the cipher strength requires decrypting and re-encrypting the volume.