Chapter 11 – BitLocker Drive Encryption
Windows Server Group Policy (GPO) Master Handbook
Chapter 11 – BitLocker Drive Encryption
Learning Objectives
Learn to deploy and manage BitLocker using Group Policy, TPM, recovery keys, Active Directory integration, and enterprise best practices.
1. Group Policy Path
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
2. What is BitLocker?
BitLocker encrypts operating system, fixed, and removable drives to protect data if a device is lost or stolen. It integrates with TPM and can automatically store recovery information in Active Directory or Microsoft Entra ID.
3. BitLocker Components
TPM, PIN, Startup Key (USB), Recovery Password, Recovery Key, Network Unlock, BitLocker Recovery Service.
4. Drive Types
Operating System Drives, Fixed Data Drives, and Removable Data Drives (BitLocker To Go). Configure each independently through Group Policy.
5. TPM Requirements
TPM 2.0 is recommended. Configure policies to require TPM only, TPM+PIN, TPM+Startup Key, or TPM+PIN+Startup Key based on organizational security requirements.
6. Recovery Key Management
Configure 'Choose how BitLocker-protected operating system drives can be recovered' to back up recovery passwords and key packages to Active Directory before encryption starts.
7. Enterprise Recommended Settings
Use XTS-AES 256 where organizational policy requires it, require TPM, store recovery keys in Active Directory or Microsoft Entra ID, prevent users from skipping recovery key backup, and encrypt used space only for new devices when appropriate.
8. PowerShell Commands
Get-BitLockerVolume
Enable-BitLocker
Disable-BitLocker
Backup-BitLockerKeyProtector
Manage-bde -status
Manage-bde -protectors -get C:
9. Troubleshooting
Verify TPM is initialized (tpm.msc), confirm the BitLocker Drive Encryption Service is running, check recovery key backup, review Event Viewer, verify GPO application using gpresult /h, and use manage-bde -status to confirm encryption state.
10. Best Practices
Back up recovery keys before enabling encryption, test on pilot devices, document recovery procedures, encrypt all portable devices, and monitor compliance.
11. Interview Questions
What is BitLocker? Difference between TPM and TPM+PIN? What is BitLocker To Go? How do you recover a BitLocker-protected drive? How do you verify BitLocker status?
12. Practical Lab
Create a BitLocker GPO, require TPM, configure recovery key backup to Active Directory, enable BitLocker on a test machine, run gpupdate /force, verify encryption with Get-BitLockerVolume and confirm recovery key storage.
Common BitLocker Policies
Policy | Recommended | Purpose |
Require additional authentication at startup | Enabled | Configure TPM/PIN |
Store recovery information in AD DS | Enabled | Centralized recovery |
Choose drive encryption method | XTS-AES 256 (per policy) | Encryption strength |
Allow BitLocker without compatible TPM | Disabled (unless required) | Security |
Deny write access to removable drives not protected | Enabled | Protect USB media |
BitLocker To Go | Enabled | Encrypt removable drives |
Recovery password | 48-digit | Emergency recovery |
Microsoft Learn References
Comments
Post a Comment