How to manage and configure BitLocker Drive Encryption – PowerShell and BitLocker on Windows Server 2012 R2

I have heared a lot of questions and a lot of incorrect answers about BitLocker in enterprise environments so I decided to write a series of articles to demystify BitLocker and its management.

BitLocker – Difference between Windows 8.1 (client OS) and Windows Server 2012 R2

  • The most important difference is that you need to install feature on Windows Server.
Install-WindowsFeature -Name BitLocker -Restart -Verbose
  • You will also get Enhanced Storage feature that is required for BitLocker so after restart you can see these two features was installed:
[X] BitLocker Drive Encryption
[X] Enhanced Storage
  • There is no reason to install following Remote Server Administration Tools (RSAT) because these are required only for the remote management and you should always follow security principles and do not increase attack surface.
DisplayName                                         Name
-----------                                         ----
BitLocker Drive Encryption Administration Utilities RSAT-Feature-Tools-BitLocker
BitLocker Drive Encryption Tools                    RSAT-Feature-Tools-BitLocker-RemoteAdminTool
BitLocker Recovery Password Viewer                  RSAT-Feature-Tools-BitLocker-BdeAducExt
  • RSAT tools are not required to encrypt drive or manage BitLocker using PowerShell and also by GUI (Control Panel).

Always use PowerShell to manage BitLocker on Windows Servers

  • At beginning it is a good idea to check what is the current state.
Get-BitLockerVolume | Where-Object -Property ProtectionStatus -EQ Off

Get-BitLockerVolume | Where-Object -Property ProtectionStatus -NE Off |
    Format-List -Property *

Encrypt volume with OS

  • If your TPM is ready then it is very simple to encrypt a volume with operating system.
Enable-BitLocker -MountPoint 'C:' -TpmProtector -Verbose

Enable BitLocker on data volumes

  • In BitLocker naming convention all volumes except volume with OS are Data volumes.
  • You can encrypt the data volume using similar command.
$volumeBitLockerMountPoint = 'D:'
Get-BitLockerVolume -MountPoint $volumeBitLockerMountPoint |
    Enable-BitLocker -RecoveryPasswordProtector -Verbose
  • The situation is a little bit more complex when you have volumes without a drive letter. If you have volume that is accessed only trough Mount Point then you need to use the volume”s path.
$volumeBitLockerMountPoint = (Get-Volume -FileSystemLabel 'Encrypted Volume').Path

Thin vs. thick provisioned disk

  • For any kind of thin provisioning (dynamic VHD or VHDX, Storage Spaces – thin virtual disk in Storage Pool) you need to specify that only used space is encrypted.
Enable-BitLocker -MountPoint "G:" -RecoveryPasswordProtector -UsedSpaceOnly:$true -Verbose
  • It is possible to use this option even when you Group Policy specify that whole volume (all space) has to be encrypted:
    • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
      • Enforce drive encryption type on fixed data drives: Enabled, Full encryption

Get BitLocker protectors

  • There are a lot of different protectors. If you do not backup Recovery Password to Active Directory then you definitely want to save RecoveryPassword protector.
# Get
Get-BitLockerVolume -MountPoint $volumeBitLockerMountPoint |
    Select-Object -ExpandProperty KeyProtector
# Save the RecoveryPassword
<#
KeyProtectorId      : {C4E7CB69-C62C-4781-8A44-7CC513774BA8}
AutoUnlockProtector :
KeyProtectorType    : RecoveryPassword
KeyFileName         :
RecoveryPassword    : 620279-444576-111518-032978-496034-452298-255618-481745
KeyCertificateType  :
Thumbprint          :
#>

Unlock volume protected by BitLocker

  • If you enable BitLocker on data volume and you do not configure automatic unlock then you will have to unlock this volume every time you restart you server.
Unlock-BitLocker -MountPoint '\\?\Volume{8397a412-9e20-4358-a731-c3788d49760a}\' -RecoveryPassword '211717-154154-150920-528275-396649-623062-366949-083006'

Enable automatic unlock (AutoUnlock) to unlock data volume after restart

  • At this moment (when you enable BitLocker on data volume) the volume is not unlocked after reboot.
  • Of course it is required to have encrypted OS volume to use AutoUnlock.
# Enable Automatic unlock (AutoUnlock)
Get-BitLockerVolume -MountPoint $volumeBitLockerMountPoint |
    Enable-BitLockerAutoUnlock -Verbose
  • When you enable automatic unlock then you will see another protector:
# Get protectors
Get-BitLockerVolume -MountPoint $volumeBitLockerMountPoint |
    Select-Object -ExpandProperty KeyProtector
<#
Found new protector:

KeyProtectorId      : {99BED23C-8A28-41C9-BC2B-557E8CFB9D1F}
AutoUnlockProtector : True
KeyProtectorType    : ExternalKey
KeyFileName         : 99BED23C-8A28-41C9-BC2B-557E8CFB9D1F.BEK
RecoveryPassword    :
KeyCertificateType  :
Thumbprint          :
#>

Multiple RecoveryPassword protectors

  • I noticed a small issue when you enable BitLocker on a volume without a drive letter. Sometime for no reason there are two recovery password protectors.
  • It is very simple to remove one of them.
# Get
$volumeBitLockerMountPoint = '\\?\Volume{98c7575b-df0a-47b8-910a-65dac9e85497}\'
$protector = Get-BitLockerVolume -MountPoint $volumeBitLockerMountPoint |
    Select-Object -ExpandProperty KeyProtector |
    Where-Object -Property 'KeyProtectorType' -EQ 'RecoveryPassword' |
    Select-Object -Last 1

# Return
$protector

# It is not possible to pipe the protector object to Remove-BitLockerKeyProtector
Remove-BitLockerKeyProtector -MountPoint $volumeBitLockerMountPoint -KeyProtectorId $protector.KeyProtectorId -Verbose

Leave a Reply

Your email address will not be published. Required fields are marked *