Chapter 11 – BitLocker Drive Encryption

 Windows Server Group Policy (GPO) Master Handbook

Chapter 11 – BitLocker Drive Encryption

Learning Objectives

Learn to deploy and manage BitLocker using Group Policy, TPM, recovery keys, Active Directory integration, and enterprise best practices.

1. Group Policy Path

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption

2. What is BitLocker?

BitLocker encrypts operating system, fixed, and removable drives to protect data if a device is lost or stolen. It integrates with TPM and can automatically store recovery information in Active Directory or Microsoft Entra ID.

3. BitLocker Components

TPM, PIN, Startup Key (USB), Recovery Password, Recovery Key, Network Unlock, BitLocker Recovery Service.

4. Drive Types

Operating System Drives, Fixed Data Drives, and Removable Data Drives (BitLocker To Go). Configure each independently through Group Policy.

5. TPM Requirements

TPM 2.0 is recommended. Configure policies to require TPM only, TPM+PIN, TPM+Startup Key, or TPM+PIN+Startup Key based on organizational security requirements.

6. Recovery Key Management

Configure 'Choose how BitLocker-protected operating system drives can be recovered' to back up recovery passwords and key packages to Active Directory before encryption starts.

7. Enterprise Recommended Settings

Use XTS-AES 256 where organizational policy requires it, require TPM, store recovery keys in Active Directory or Microsoft Entra ID, prevent users from skipping recovery key backup, and encrypt used space only for new devices when appropriate.

8. PowerShell Commands

Get-BitLockerVolume
Enable-BitLocker
Disable-BitLocker
Backup-BitLockerKeyProtector
Manage-bde -status
Manage-bde -protectors -get C:

9. Troubleshooting

Verify TPM is initialized (tpm.msc), confirm the BitLocker Drive Encryption Service is running, check recovery key backup, review Event Viewer, verify GPO application using gpresult /h, and use manage-bde -status to confirm encryption state.

10. Best Practices

Back up recovery keys before enabling encryption, test on pilot devices, document recovery procedures, encrypt all portable devices, and monitor compliance.

11. Interview Questions

What is BitLocker? Difference between TPM and TPM+PIN? What is BitLocker To Go? How do you recover a BitLocker-protected drive? How do you verify BitLocker status?

12. Practical Lab

Create a BitLocker GPO, require TPM, configure recovery key backup to Active Directory, enable BitLocker on a test machine, run gpupdate /force, verify encryption with Get-BitLockerVolume and confirm recovery key storage.

Common BitLocker Policies

Policy

Recommended

Purpose

Require additional authentication at startup

Enabled

Configure TPM/PIN

Store recovery information in AD DS

Enabled

Centralized recovery

Choose drive encryption method

XTS-AES 256 (per policy)

Encryption strength

Allow BitLocker without compatible TPM

Disabled (unless required)

Security

Deny write access to removable drives not protected

Enabled

Protect USB media

BitLocker To Go

Enabled

Encrypt removable drives

Recovery password

48-digit

Emergency recovery

Microsoft Learn References

BitLocker Overview

BitLocker Group Policy Settings

BitLocker PowerShell

BitLocker Recovery

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server