This is a step by step guide on how to enable BitLocker on Windows Server 2012 R2. Many organizations do not consider Bitlocker for servers as they are not in general as portable as desktop operating systems such as Windows 7, 8 or 10 especially when it comes to laptops. But many overlook the fact that Virtual Machines can be more portable as someone can easily export it and save it to a USB thumb drive.
The focus of this guide is full-disk encryption using BitLocker and especially situation for situations such as standalone offline Microsoft Active Directory Certificate Services Root CA. In this example, BitLocker will provide an additional security layer, especially for smaller organizations.
Instructions to Enable BitLocker
We will first need to install feature “BitLocker Drive Encryption“. Launch Server Manager and click on “Add roles and features“.
Assuming this is a standalone server, there will be a single choice. If part of a group, ensure you select the appropriate server and click Next.
Click Next on the Server Roles, we are not installing a role but a feature from the next screen.
Click on “BitLocker Drive Encryption”.
The wizard dialog will popup, click “Add Features”.
This process might take few minutes, click Close when it completes.
Once this completes, you will need to restart the computer. Before you do that, it is important to modify the following Group Policy setting:
Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives/Require additional authentication at startup
Launch Local Group Policy Editor (gpedit.msc) and navigate to the above policy setting.
Double-Click on the setting and enable the policy. Also, ensure the “Allow BitLocker without a compatible TPM” option is checked.
Then restart the server so that both the BitLocker feature and group policy setting take effect.
NOTE - Issue or bug after the restart.
After the restart, you may check the Control Panel for the “BitLocker Drive Encryption” but may not be present.
You may also have a hard time locating in the Start Screen but you may locate “Manage BitLocker“.
When you click on it, you may receive the following message.
This issue seems to disappear after an extra restart. Restart the server one more time and navigate to Control Panel.
Click on BitLocker Drive Encryption.
Click on “Turn on BitLocker“.
To simplify the process, we will select the option to “Enter a password”.
Obviously, we want to select a strong password, otherwise, what is the point of implementing BitLocker in the first place? Click Next.
Now we need to backup the recovery key, which can be used to unlock BitLocker if we forget the password. Click Save to a file
Be advised that you will need to save to an external location and not on the drive that it is being encrypted. You can also opt to save it to a USB flash drive but if it is a virtual machine, you will need to ensure that you can properly mount it. Or simply print it. In any situation, you must ensure that these items are properly secured.
In our situation, we will select the option to “Encrypt entire drive” and click Next.
NOTE – Be aware that when encrypting thin-provisioned disks in a lab environment as the disk will most likely expand to its maximum size after encryption.
Click Continue on the “Run BitLocker system check”.
You will need to restart to enable BitLocker encryption.
After restart, you will need to enter the password that you have previously define.
Once you log on to the server, navigate to “BitLocker Drive Encryption” applet in Control Panel to ensure the encryption process has started. It may take couple of minutes for the process to start and see the “Encrypting” status.