How to Configure BitLocker with TPM on Windows Server 2012 R2
Full-disk encryption is one of the most effective controls against data theft from physical access. BitLocker Drive Encryption, combined with a Trusted Platform Module (TPM) 1.2 or 2.0 chip, ensures that a stolen or decommissioned server’s drives cannot be read without the original hardware’s TPM state and the recovery key. On Windows Server 2012 R2, BitLocker supports operating system volumes, fixed data drives, and removable media. This guide walks through enabling BitLocker on the OS volume using TPM, backing up recovery keys to Active Directory, and monitoring encryption status across your server fleet.
Prerequisites
Confirm the following before proceeding:
- The server has a TPM 1.2 or 2.0 chip enabled in UEFI/BIOS firmware
- The OS partition is NTFS-formatted and has a separate 350 MB or larger system partition (created automatically during Windows setup)
- You are running Windows Server 2012 R2 with the BitLocker Drive Encryption feature installed
- Active Directory schema is extended for BitLocker recovery key backup (requires AD DS on Windows Server 2008 or later)
- You have local Administrator rights on the server
Step 1: Install the BitLocker Feature
BitLocker is a Windows Feature that must be installed before use:
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -RestartAfter the server restarts, verify installation:
Get-WindowsFeature BitLockerStep 2: Verify TPM Status
BitLocker with TPM requires the chip to be present, enabled, and owned by the OS. Check TPM status:
Get-TpmThe output should show TpmPresent : True, TpmReady : True, and TpmEnabled : True. If TpmOwned is False, initialize the TPM:
Initialize-Tpm -AllowClear -AllowPhysicalPresenceIf the TPM shows as not present, check UEFI/BIOS settings to ensure the chip is enabled. Some servers require a physical presence confirmation at the next reboot to take ownership.
Step 3: Configure Group Policy for BitLocker
Before encrypting, configure Group Policy settings that control how BitLocker behaves. Open GPMC and navigate to:
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
Configure these policies:
- Require additional authentication at startup — Enable and check “Allow BitLocker without a compatible TPM” only if TPM-only mode is acceptable for your environment
- Choose how BitLocker-protected operating system drives can be recovered — Enable, check “Save BitLocker recovery information to AD DS for operating system drives,” and set “Do not enable BitLocker until recovery information is stored in AD DS”
Apply the policy:
gpupdate /forceStep 4: Prepare Active Directory for Recovery Key Backup
BitLocker recovery keys must be backed up to AD DS so that locked-out servers can be recovered without physical access to the key. Ensure the schema attribute ms-FVE-RecoveryInformation exists (it is included in Windows Server 2008+ schema by default). Delegate the computer account the right to write its own BitLocker recovery password:
# Run on a domain controller
Enable-BitLockerAutoUnlock -MountPoint "C:"
# Grant computer accounts permission to write recovery keys
# This is normally done via Group Policy or the Enable-BitLockerAutoUnlock on each machine
# Manual schema delegation (run once per domain):
cscript C:WindowsSystem32manage-bde.wsf -forcerecovery C:The Microsoft-provided script Add-BitLockerKeyProtector.ps1 from the BitLocker Deployment Guide can automate delegation across the entire domain.
Step 5: Enable BitLocker on the OS Drive
Enable BitLocker on drive C using TPM-only protector and a recovery password. The recovery password will be automatically backed up to AD DS if the GPO was configured correctly in Step 3:
Enable-BitLocker -MountPoint "C:" `
-TpmProtector `
-RecoveryPasswordProtector `
-SkipHardwareTestThe -SkipHardwareTest flag bypasses the hardware compatibility test reboot. Remove it on physical servers for a safer first run—BitLocker will reboot to verify TPM before encrypting.
Retrieve the recovery password so you can manually verify it was saved to AD DS:
Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }Step 6: Back Up the Recovery Key to Active Directory
If you need to force a backup of the recovery key to AD DS (for example, after enabling BitLocker without the GPO in place), use the following command. Replace <RecoveryPasswordID> with the KeyProtectorId from the previous step:
$vol = Get-BitLockerVolume -MountPoint "C:"
$keyId = ($vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $keyIdVerify the key is in AD DS by opening Active Directory Users and Computers, navigating to the computer object, selecting the BitLocker Recovery tab (requires the BitLocker Password Viewer feature on the DC), and confirming the recovery key appears.
Step 7: Monitor Encryption Progress
Encryption of a large OS drive can take hours. Monitor progress without blocking PowerShell:
while ((Get-BitLockerVolume -MountPoint "C:").EncryptionPercentage -lt 100) {
$status = Get-BitLockerVolume -MountPoint "C:"
Write-Host "Encrypting C: - $($status.EncryptionPercentage)% complete - Status: $($status.VolumeStatus)"
Start-Sleep -Seconds 30
}
Write-Host "Encryption complete."Or use the command-line tool for a quick one-shot check:
manage-bde -status C:Step 8: Enable BitLocker on Data Drives
Data volumes should also be encrypted. Use an auto-unlock protector so data drives mount automatically when the OS drive is unlocked by TPM:
# Add recovery password and auto-unlock to drive D:
Enable-BitLocker -MountPoint "D:" -RecoveryPasswordProtector
Enable-BitLockerAutoUnlock -MountPoint "D:"Back up the data drive recovery key as well:
$vol = Get-BitLockerVolume -MountPoint "D:"
$keyId = ($vol.KeyProtector | Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "D:" -KeyProtectorId $keyIdStep 9: Verify Final Encryption Status
Once encryption completes, perform a full status review:
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionPercentage, EncryptionMethodExpected output for a protected drive:
VolumeStatus: FullyEncryptedProtectionStatus: OnEncryptionPercentage: 100
Confirm all key protectors:
Get-BitLockerVolume | Select-Object MountPoint -ExpandProperty KeyProtectorStep 10: Test Recovery
Periodically test that the recovery key actually works. Suspend BitLocker temporarily, force a recovery mode boot, and recover using the key stored in AD DS:
# Suspend BitLocker (allows one unprotected boot)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
# Force BitLocker recovery at next boot
manage-bde -forcerecovery C:On the next boot, the server will prompt for the 48-digit recovery password. Retrieve it from AD DS using the BitLocker Password Viewer tool, enter it, and confirm the server boots normally. Resume protection afterward:
Resume-BitLocker -MountPoint "C:"Summary
BitLocker with TPM provides hardware-rooted full-disk encryption that protects data at rest on Windows Server 2012 R2. You have installed the BitLocker feature, verified TPM readiness, configured Group Policy to back up recovery keys automatically to AD DS, encrypted both the OS and data drives, and verified the encryption status. This configuration satisfies data-at-rest encryption requirements for compliance frameworks such as PCI-DSS, HIPAA, and ISO 27001. Combine BitLocker with regular key escrow audits and a tested recovery procedure to ensure you can regain access if a TPM or motherboard failure ever forces a recovery scenario.
