Introduction to BitLocker Drive Encryption
BitLocker Drive Encryption is a full-volume encryption feature built into Windows Server 2019 that protects data on operating system drives, fixed data drives, and removable drives by encrypting the entire volume using AES encryption. When a server is stolen or decommissioned, BitLocker ensures that the data on the drives cannot be accessed without the proper credentials or recovery key. On Windows Server 2019, BitLocker uses the Trusted Platform Module (TPM) chip to protect the encryption keys, ensuring that the volume can only be decrypted on the original hardware unless a recovery key is used. BitLocker is particularly important for servers in branch offices, colocation facilities, or edge locations where physical security cannot be fully guaranteed.
Prerequisites and TPM Requirements
BitLocker on Windows Server 2019 requires either a TPM 1.2 or TPM 2.0 chip for transparent startup protection. If no TPM is present, BitLocker can still be used with a USB startup key, but this requires a Group Policy change. Verify TPM status before enabling BitLocker:
Get-Tpm
get-wmiobject -namespace rootcimv2securitymicrosofttpm -class Win32_Tpm | Select-Object IsActivated_InitialValue, IsEnabled_InitialValue, IsOwned_InitialValue, SpecVersionIf the TPM is not initialized, initialize it:
Initialize-Tpm -AllowClear -AllowPhysicalPresenceEnsure the BitLocker Drive Encryption feature is available. On Server Core installations, install the feature:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -RestartEnabling BitLocker on the Operating System Drive
Before encrypting the OS drive, Windows requires a separate System Reserved partition of at least 350 MB where the BitLocker boot files are stored unencrypted. This partition is created automatically during Windows installation. To enable BitLocker on the OS drive with TPM-only protection (no PIN or startup key):
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector -SkipHardwareTest -VerboseTo enable BitLocker with TPM and PIN for stronger protection:
$securePin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmAndPinProtector -Pin $securePinAfter enabling, BitLocker encrypts the drive in the background. Check encryption status:
Get-BitLockerVolume -MountPoint "C:" | Select-Object MountPoint, EncryptionMethod, EncryptionPercentage, VolumeStatus, ProtectionStatusSaving the BitLocker Recovery Key
The recovery key is essential for recovering access to a BitLocker-protected volume if the TPM fails, if the PIN is forgotten, or if the drive is moved to different hardware. Always save the recovery key to a secure location before encrypting. Backup options include Active Directory Domain Services, Azure AD, a file, or print. To back up to Active Directory:
$keyProtectorId = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | Select-Object -ExpandProperty KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $keyProtectorIdSave the recovery key to a file on a network share:
$recoveryKey = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | Select-Object -ExpandProperty RecoveryPassword
$recoveryKey | Out-File "\FileServer01BitLockerKeys$(hostname)-C-Recovery.txt"Enabling BitLocker on Data Drives
Encrypt fixed data drives that store sensitive information such as database files, user data, or application data. Data drives support auto-unlock which allows them to unlock automatically when the OS drive is unlocked:
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -RecoveryPasswordProtector -Verbose
Enable-BitLockerAutoUnlock -MountPoint "D:"Verify auto-unlock status:
Get-BitLockerVolume -MountPoint "D:" | Select-Object AutoUnlockEnabled, VolumeStatusTo add a password protector to a data drive for manual unlock scenarios:
$password = ConvertTo-SecureString "DataDriveP@ssw0rd!" -AsPlainText -Force
Add-BitLockerKeyProtector -MountPoint "D:" -PasswordProtector -Password $passwordEncrypting Removable Drives with BitLocker To Go
BitLocker To Go encrypts removable USB drives and external hard disks. This feature is important for protecting data on portable media. Enable it on a removable drive:
Enable-BitLocker -MountPoint "E:" -EncryptionMethod Aes256 -PasswordProtector -Password (ConvertTo-SecureString "USB@Passw0rd" -AsPlainText -Force)Configure Group Policy to require BitLocker on removable drives before write access is allowed. The policy is at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives: Deny write access to removable drives not protected by BitLocker.
Configuring BitLocker via Group Policy
Group Policy provides centralized control over BitLocker settings across the enterprise. Key policy settings are under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Important policies include:
Choose drive encryption method and cipher strength should be set to XTS-AES 256-bit for OS and fixed drives. Store BitLocker recovery information in Active Directory Domain Services should be enabled with the option to store recovery passwords and key packages. Do not enable BitLocker until recovery information is stored in AD DS for OS drives prevents BitLocker from enabling if AD backup fails. Configure use of passwords for operating system drives if allowing passwordless TPM-only mode.
gpupdate /force
gpresult /r /scope computer | findstr -i "bitlocker"Managing BitLocker in Active Directory
When BitLocker stores recovery keys in AD DS, administrators can retrieve recovery keys for locked machines. Use the BitLocker Password Recovery Viewer snap-in or PowerShell. To view recovery keys stored in AD for a computer:
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} -SearchBase "CN=SERVER01,CN=Computers,DC=contoso,DC=com" -Properties msFVE-RecoveryPassword | Select-Object Name, msFVE-RecoveryPasswordInstall the BitLocker Recovery Password Viewer tool which adds a BitLocker Recovery tab to computer objects in Active Directory Users and Computers:
Add-WindowsFeature RSAT-Feature-Tools-BitLocker -IncludeAllSubFeatureSuspending and Resuming BitLocker
When performing firmware updates, hardware maintenance, or other tasks that require BIOS changes, suspend BitLocker to prevent recovery mode from triggering. Suspending BitLocker does not decrypt the drive; it temporarily disables the protection:
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
# After the update is complete, BitLocker automatically resumes
Resume-BitLocker -MountPoint "C:"Use the manage-bde command-line tool for the same operation:
manage-bde -protectors -disable C: -RebootCount 1
manage-bde -protectors -enable C:Checking and Reporting BitLocker Status
Generate a comprehensive BitLocker status report for all volumes on a server:
Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, EncryptionPercentage, VolumeStatus, ProtectionStatus, LockStatus, AutoUnlockEnabled | Format-Table -AutoSizeFor enterprise-wide reporting across multiple servers:
$servers = "Server01","Server02","Server03"
foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {
Get-BitLockerVolume | Select-Object @{N='Server';E={$env:COMPUTERNAME}}, MountPoint, ProtectionStatus, EncryptionPercentage
}
} | Export-Csv "C:ReportsBitLockerStatus.csv" -NoTypeInformationDecrypting BitLocker Volumes
When decommissioning a server or drive, decrypt BitLocker volumes before disposal or reuse. Decryption removes encryption and can take several hours for large volumes:
Disable-BitLocker -MountPoint "C:"
Disable-BitLocker -MountPoint "D:"
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatusFor complete data destruction on decommissioned drives, use a certified data wiping tool after BitLocker decryption. BitLocker on Windows Server 2019 provides transparent, hardware-backed encryption that protects against unauthorized physical access while integrating with Active Directory for enterprise-wide key management.
