What is BitLocker?
BitLocker is a tool used to encrypt Windows computers. It can use a password, PIN, or/and TPM in your computer. This is useful in case your computer gets stolen or someone tries to boot from another drive. It ensures that if someone inserts a USB flash drive with Linux on it, the attacker can’t read the files on the Windows drive or, more importantly, access the SAM file (where password hashes are stored).
Set Up Windows Server
First, make sure your computers are in an OU (Organizational Unit) that is not the default ‘Computers’ container.
Then, go to Group Policy Management and create a policy for the computer OU.
Next, go to:
Computer Configuration -> Policies -> Windows Settings -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption.
This is where all the settings we are going to configure are located.
-
Click on “Store BitLocker recovery information in AD domain services”, enable it, and leave it at the default settings.
-
Under “Operating System Drives”, enable “Enforce drive encryption type on OS drives”. There are two options, and I will explain both:
- Full encryption: This will encrypt everything. For example, if you have a 200GB drive and you are only using 100GB, it will encrypt the entire 200GB. This process takes longer.
- Used space-only encryption: This will only encrypt the 100GB that is currently in use and not the entire 200GB.
-
Finally, click on “Choose how BitLocker-protected OS drives can be recovered”, enable it, and scroll down to find “Do not enable BitLocker until recovery information is stored to AD DS for OS drives”, then enable that option.
Windows PC
You will need to enable BitLocker on the PC. You can do this using PowerShell. If your drive is not the C: drive, you can modify the script by changing the drive letter.
PowerShell Script to Enable BitLocker:
# Check if the C: drive is already encrypted
$BitLockerStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty VolumeStatus
if ($BitLockerStatus -eq 'FullyDecrypted') {
Write-Output "Starting BitLocker encryption on C: drive..."
# Enable BitLocker with TPM + optional PIN (uncomment to use a PIN)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -TpmProtector
# Uncomment the line below to add a PIN protector (for additional security)
# Add-BitLockerKeyProtector -MountPoint "C:" -TpmPinProtector -Pin "123456"
# Start the encryption process
Write-Output "Encryption in progress. This may take some time..."
Start-BitLocker -MountPoint "C:" -EncryptionMethod Aes256
# Check encryption status
$EncryptionStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object -ExpandProperty VolumeStatus
Write-Output "Current BitLocker status on C: drive: $EncryptionStatus"
} else {
Write-Output "C: drive is already encrypted or encryption is in progress."
}
Enabling BitLocker via GUI
To enable BitLocker via the GUI, go to:
Control Panel -> System and Security -> BitLocker Drive Encryption.
Then, enable BitLocker on the C: drive. This process may take some time, depending on the size of the drive and the encryption type selected.