Implementing Disk Encryption with BitLocker
When to Use
Use this skill when:
- Encrypting Windows endpoints to protect data at rest for compliance (PCI DSS, HIPAA, GDPR)
- Deploying BitLocker across enterprise fleet via Intune, SCCM, or GPO
- Configuring TPM-based encryption with PIN or USB startup key for enhanced security
- Managing BitLocker recovery keys in Active Directory or Azure AD
Do not use this skill for Linux disk encryption (use LUKS/dm-crypt) or macOS (use FileVault).
Prerequisites
- Windows 10/11 Pro, Enterprise, or Education edition
- TPM 2.0 chip (recommended; TPM 1.2 supported with limitations)
- UEFI firmware with Secure Boot enabled (recommended)
- Separate system partition (200 MB minimum, created automatically by Windows installer)
- Active Directory or Azure AD for recovery key escrow
Workflow
Step 1: Verify TPM and System Requirements
# Check TPM status
Get-Tpm
# ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled
# Check TPM version (2.0 required for best compatibility)
(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion
# Check UEFI/Secure Boot
Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled
# Check BitLocker readiness
$vol = Get-BitLockerVolume -MountPoint "C:"
$vol.VolumeStatus # Should be "FullyDecrypted"
$vol.ProtectionStatus # Should be "Off"
Step 2: Configure BitLocker GPO Settings
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption
Operating System Drives:
- Require additional authentication at startup: Enabled
- Allow BitLocker without compatible TPM: Disabled (enforce TPM)
- Configure TPM startup: Allow TPM
- Configure TPM startup PIN: Allow startup PIN with TPM
- Configure TPM startup key: Allow startup key with TPM
- Choose how BitLocker-protected OS drives can be recovered: Enabled
- Allow data recovery agent: True
- Configure storage of recovery information to AD DS: Enabled
- Save recovery info to AD DS for OS drives: Store recovery passwords and key packages
- Do not enable BitLocker until recovery information is stored: Enabled
- Choose drive encryption method and cipher strength:
- OS drives: XTS-AES 256-bit (Windows 10 1511+)
- Fixed drives: XTS-AES 256-bit
- Removable drives: AES-CBC 256-bit (for cross-platform compatibility)
Fixed Data Drives:
- Choose how BitLocker-protected fixed drives can be recovered: Enabled
- Store recovery passwords in AD DS: Enabled
Removable Data Drives:
- Control use of BitLocker on removable drives: Enabled
- Configure use of passwords for removable drives: Require complexity
Step 3: Enable BitLocker - Command Line
# Enable BitLocker with TPM-only protector (transparent to user)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
-TpmProtector -SkipHardwareTest
# Enable BitLocker with TPM + PIN (recommended for laptops)
$pin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
-TpmAndPinProtector -Pin $pin
# Add recovery password protector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Backup recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" `
-KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId
# Encrypt fixed data drives
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 `
-RecoveryPasswordProtector -AutoUnlockEnabled
Step 4: Deploy via Intune (Enterprise)
Intune → Endpoint Security → Disk encryption → Create Profile
Platform: Windows 10 and later
Profile: BitLocker
Settings:
BitLocker base settings:
- Encryption for operating system drives: Require
- Encryption for fixed data drives: Require
- Encryption for removable data drives: Require
Operating system drive settings:
- Additional authentication at startup: Require
- TPM startup: Allowed
- TPM startup PIN: Required (for high-security endpoints)
- Encryption method: XTS-AES 256-bit
- Recovery: Escrow to Azure AD
Fixed drive settings:
- Encryption method: XTS-AES 256-bit
- Recovery: Escrow to Azure AD
Assign to: All managed Windows devices (or specific groups)
Step 5: Manage Recovery Keys
# View recovery key on local system
(Get-BitLockerVolume -MountPoint "C:").KeyProtector |
Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} |
Select-Object KeyProtectorId, RecoveryPassword
# Retrieve recovery key from Active Directory (requires RSAT)
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} `
-SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com" `
-Properties msFVE-RecoveryPassword |
Select-Object -ExpandProperty msFVE-RecoveryPassword
# Retrieve recovery key from Azure AD
# Azure Portal → Azure AD → Devices → [device] → BitLocker keys
# Or via Microsoft Graph API:
# GET /devices/{id}/bitlockerRecoveryKeys
Step 6: Monitor Encryption Status
# Check encryption status across fleet
manage-bde -status C:
# Expected output for encrypted drive:
# Conversion Status: Fully Encrypted
# Percentage Encrypted: 100.0%
# Encryption Method: XTS-AES 256
# Protection Status: Protection On
# Key Protectors: TPM, Numerical Password
# PowerShell compliance check
$vol = Get-BitLockerVolume -MountPoint "C:"
if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") {
Write-Host "COMPLIANT: BitLocker enabled and fully encrypted"
} else {
Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)"
}
Key Concepts
| Term | Definition | |------|-----------| | TPM (Trusted Platform Module) | Hardware security chip that stores BitLocker encryption keys and provides measured boot integrity | | XTS-AES 256 | Encryption cipher used by BitLocker; XTS mode provides better protection for disk encryption than CBC | | Recovery Key | 48-digit numerical password used to unlock BitLocker-encrypted drive when TPM authentication fails | | Key Protector | Method used to unlock BitLocker (TPM, TPM+PIN, recovery password, startup key, smart card) | | Used Space Only Encryption | Encrypts only sectors containing data; faster initial encryption but may leave remnant data in free space | | Full Disk Encryption | Encrypts entire volume including free space; slower but more secure for drives that previously contained data |
Tools & Systems
- BitLocker (built-in): Windows full disk encryption feature
- manage-bde.exe: Command-line BitLocker management tool
- BitLocker Recovery Password Viewer: RSAT tool for viewing recovery keys in Active Directory
- MBAM (Microsoft BitLocker Administration and Monitoring): Enterprise BitLocker management (legacy, replaced by Intune)
- Microsoft Intune: Cloud-based BitLocker policy deployment and recovery key management
Common Pitfalls
- Not escrowing recovery keys before encryption: If recovery keys are not saved to AD/Azure AD before encryption, they may be permanently lost if the TPM fails.
- Using TPM-only without PIN: TPM-only mode is transparent but vulnerable to cold boot attacks and evil maid attacks. Add a startup PIN for laptops leaving the office.
- Encrypting used space only on repurposed drives: If a drive previously contained sensitive data, "used space only" encryption leaves deleted data unencrypted in free space. Use full disk encryption for repurposed drives.
- Forgetting removable drives: USB drives and external disks are common data loss vectors. Enforce BitLocker To Go for removable media.
- No pre-provisioning for SCCM deployments: Pre-provision BitLocker during OSD task sequence to encrypt before OS deployment, avoiding the lengthy post-deployment encryption process.