Windows BitLocker Configuration

2 min read Infrastructure & DevOps Security

Windows BitLocker Configuration

BitLocker provides full disk encryption for Windows systems, protecting data if devices are lost or stolen. Understanding BitLocker's various modes and configuration options enables administrators to implement appropriate protection levels while maintaining usability. BitLocker integrates with Active Directory for centralized key management in enterprise environments.

Enable BitLocker through PowerShell for consistent deployment:

# Check BitLocker readiness
$BitLockerVolume = Get-BitLockerVolume -MountPoint "C:"
if ($BitLockerVolume.ProtectionStatus -eq "Off") {
    # Enable TPM if available
    Initialize-Tpm -AllowClear -AllowPhysicalPresence
    
    # Add TPM protector
    Add-BitLockerKeyProtector -MountPoint "C:" -TpmProtector
    
    # Add recovery password
    Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
    
    # Enable BitLocker
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly
}

# Backup recovery keys to AD
$RecoveryKey = (Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"}
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $RecoveryKey.KeyProtectorId

Configure BitLocker Group Policy for enterprise deployment:

# Key Group Policy settings for BitLocker
# Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

# Operating System Drives
# - Require additional authentication at startup: Enabled
# - Allow BitLocker without a compatible TPM: Disabled
# - Configure TPM platform validation profile: PCRs 0,2,4,11

# Choose drive encryption method and cipher strength
# - Select the encryption method: AES 256-bit

# Store BitLocker recovery information in AD DS
# - Require BitLocker backup to AD DS: Enabled
# - Do not enable BitLocker until recovery information is stored in AD DS: Enabled

Implement BitLocker Network Unlock for server environments:

# Install BitLocker Network Unlock feature
Install-WindowsFeature BitLocker-NetworkUnlock -IncludeManagementTools

# Configure WDS server for Network Unlock
$Certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -match "BitLocker"}
$CertificateThumbprint = $Certificate.Thumbprint

# Configure Network Unlock on domain controller
Add-BitLockerKeyProtector -MountPoint "C:" -NetworkUnlockProtector -NetworkUnlockServerCertificateThumbprint $CertificateThumbprint

Monitor BitLocker status across the enterprise:

# Query BitLocker status on remote computers
$Computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
$BitLockerStatus = foreach ($Computer in $Computers) {
    Invoke-Command -ComputerName $Computer -ScriptBlock {
        Get-BitLockerVolume | Select-Object ComputerName, MountPoint, ProtectionStatus, EncryptionPercentage
    }
}

# Generate compliance report
$BitLockerStatus | Export-Csv "BitLocker_Status_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation