How to Set Up Windows Server 2016 BitLocker Drive Encryption
BitLocker Drive Encryption is a built-in Windows Server 2016 feature that provides full-volume encryption to protect data at rest. When enabled, BitLocker encrypts the entire volume, preventing unauthorized access to data if drives are physically removed or a server is stolen. This guide covers enabling BitLocker on Windows Server 2016, including TPM configuration, recovery key management, and Network Unlock for automated boot.
Prerequisites
- Trusted Platform Module (TPM) version 1.2 or later (strongly recommended; TPM 2.0 preferred).
- Windows Server 2016 with the BitLocker feature installed.
- A recovery key storage location (Active Directory, Azure AD, or removable media).
- For OS drives: two partitions — a boot partition (at least 350 MB) and the OS volume.
Step 1: Install the BitLocker Feature
Install-WindowsFeature BitLocker -IncludeManagementTools -RestartAfter restart, verify installation:
Get-WindowsFeature -Name BitLockerStep 2: Check TPM Status
Get-TpmIf the TPM is present but not initialized, initialize it:
Initialize-Tpm -AllowClear -AllowPhysicalPresenceStep 3: Enable BitLocker on the OS Drive
Enable BitLocker on the C: drive using TPM only (no PIN, auto-unlocks on boot):
Enable-BitLocker -MountPoint "C:" -TpmProtector -UsedSpaceOnlyEnable with TPM + PIN for higher security (prompts for PIN at each boot):
$securePIN = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -TpmAndPinProtector -Pin $securePINEnable with a recovery password protector (required for AD backup):
Enable-BitLocker -MountPoint "C:" -TpmProtector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtectorStep 4: Back Up Recovery Key to Active Directory
Back up the recovery information to AD DS for centralized management:
$keyProtectors = (Get-BitLockerVolume -MountPoint "C:").KeyProtector
$recoveryKeyId = ($keyProtectors | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}).KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryKeyIdVerify backup in AD using the BitLocker Recovery console or:
Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase "DC=corp,DC=local" -Properties msFVE-RecoveryPasswordStep 5: Enable BitLocker on Data Drives
For data volumes, use an auto-unlock protector (the data drive unlocks automatically when the OS drive is unlocked):
Enable-BitLocker -MountPoint "D:" -RecoveryPasswordProtector
Enable-BitLockerAutoUnlock -MountPoint "D:"Step 6: Configure Network Unlock
Network Unlock allows BitLocker-protected servers to boot without manual PIN entry when connected to the corporate network. This requires WDS (Windows Deployment Services) and a certificate. Install the Network Unlock feature:
Install-WindowsFeature BitLocker-NetworkUnlockConfigure Network Unlock via Group Policy at:
Computer Configuration > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption Network Unlock Certificate
Step 7: Check BitLocker Encryption Status
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionPercentage, KeyProtectorMonitor encryption progress (encryption runs in the background):
manage-bde -status C:Step 8: Suspend and Resume BitLocker
Suspend BitLocker before firmware updates (prevents recovery mode):
Suspend-BitLocker -MountPoint "C:" -RebootCount 1Resume protection:
Resume-BitLocker -MountPoint "C:"Step 9: Decrypt a Drive
Disable-BitLocker -MountPoint "D:"Or using manage-bde:
manage-bde -off D:Enforce BitLocker via Group Policy
Require BitLocker on all OS drives via GPO: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > “Require additional authentication at startup.”
Summary
BitLocker on Windows Server 2016 provides transparent, full-volume encryption that protects data at rest against physical theft or unauthorized access. By backing recovery keys to Active Directory, configuring Network Unlock for automated server boot, and enforcing BitLocker through Group Policy, organizations can maintain strong data protection without disrupting day-to-day operations.
