BitLocker Drive Encryption enables you to protect data on lost, stolen or inappropriately decommissioned devices by encrypting the entire volume and checking the integrity of early boot components. These data can only be decrypted if all the components are successfully verified and the encrypted drive is located in the original PC. In this article, we shall learn how to Install BitLocker on Windows Server via the Server Manager. Please see How to Disable BitLocker on Windows 10, and How to Change BitLocker Password in Windows.
For all Windows Server editions, BitLocker isn’t installed by default, but it can be installed using Server Manager or Windows PowerShell cmdlets. Administrative rights are required to perform this task.
Note: Integrity checking requires a compatible TPM module for your device. You may want to see how to disable Lock Screen on Windows 10 via Registry Editor, and how to Backup existing and new BitLocker Recovery Keys to Active Directory.
Step 1: Install BitLocker on Windows Server
Open the server manager by selecting the server manager icon or running servermanager.exe. Oftentimes, this wizard opens automatically,
Select Manage from the Server Manager Navigation bar and select Add Roles and Features to start the Add Roles and Features Wizard.
Alternatively, from the Server Manager dashboard, you could select Add roles and features as shown below.
With the Add Roles and Features wizard open, select Next at the Before you Begin pane if shown.
Select Role-based or feature-based installation on the Installation type pane of the Add Roles and Features wizard and select Next to continue.
Select the Select a server from the server pool option in the Server Selection pane.
Note: Server roles and features are installed by using the same wizard in Server Manager.Select Next on the Server Roles pane of the Add Roles and Features wizard to proceed to the Features pane.
Select the check box next to BitLocker Drive Encryption within the Features pane of the Add Roles and Features wizard.
Note: The Enhanced Storage feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
The BitLocker features and the Enhanced Storage have been selected.
Before proceeding with this step, you may want to learn about Microsoft BitLocker Administration and Management (MBAM).
Install BitLocker
Select Install on the Confirmation pane of the Add Roles and Features wizard to begin the BitLocker feature installation.
If you want the server to restart automatically, check the box close to the “restart the destination server automatically if required”.
This forces a restart of the computer after installation is complete. At this time, I will not check it just to show you that it does require a RESTART of the Windows Server.
BitLocker is installing
If the Restart the destination server automatically if the required check box isn’t selected. The Results pane of the Add Roles and Features wizard displays the success or failure of the BitLocker feature installation. Please restart your server.
Please proceed and have your server restarted.
Also, see how to fix “Cannot open Bluetooth preference pane because it is not available“, How to Create Hyper-V Virtual Switch, and How does Key Rotation work in MBAM?
To install BitLocker on Windows Server using Windows PowerShell
Windows PowerShell offers administrators an option for BitLocker feature installation. The server must be restarted to complete the installation of BitLocker. I will not be discussing these steps as the focus is on Server Manager. Here is how this BitLocker can be installed with Powershell.
Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately
Using the DISM module to install BitLocker
With the dism.exe Windows PowerShell module uses the Enable-WindowsOptionalFeature cmdlet to install features. Learn how to install BitLocker with DISM.
Step 2: Turn on BitLocker using Windows Explorer
It is interesting to note that this option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available.
After the server reboots, you can use BitLocker. To enable BitLocker on Windows Server, kindly proceed with the steps below.
Windows Explorer allows you to launch the BitLocker Drive Encryption Wizard by right-clicking a volume and selecting Turn On BitLocker.
This will check for the PC configuration. This process can take a while to complete. Sit back and relax.
Proceed with the BitLocker Drive Encryption setup by clicking on Next
Click on Next to proceed as well.
The volume is shrunk as shown below.
Encrypt the drive
Choose how to unlock the drive at Startup. I will select the second option as shown below.
Enter a Password
Important: Removable data drives can be unlocked using a smart card. A SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account.
I will select the second option to have the entire drive encrypted.
On the Ready for BitLocker Encryption? click on continue.
The "run BitLocker System Check" is selected by default. You can choose to deselect this.
You will be notified that BitLocker will start shortly after the PC is restarted.
Unlock BitLocker Drive Encryption
To UnLock BitLocker Drive Encryption, enter the password you entered above.
Encryption has started
Verify BitLocker Encryption
To verify the BitLocker status of a particular volume. Administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, manage-bde.exe command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
Determine the current state of a volume you can use the Get-BitLockerVolume cmdlet, which provides information on the volume type, protectors, protection status, and other details.
With manage-bde.exe you can determine the volume status on the target system
Process can take a while and encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn’t being used.
Also, see how to check if Microsoft BitLocker Administration and Monitoring is installed on Windows, and how to Fix no BitLocker Recovery tab in Active Directory.
FAQs on Deploying BitLocker
No user action is required for BitLocker in order to apply updates from Microsoft, including Windows quality updates and feature updates. Users need to suspend BitLocker for non-Microsoft software updates, such as UEFI/BIOS updates. Luckily, DELL has a measure in place to temporarily disable BitLocker upon these updates.
There is a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate
Multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks are BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive.
I hope you found this blog post helpful on how to Deploy BitLocker on Windows Server. If you have any questions, please let me know in the comment section.
