pinkpixel-dev/implementing-disk-encryption-with-bitlocker

Implementing Disk Encryption with BitLocker

When to Use

Use this skill when:

• Encrypting Windows endpoints to protect data at rest for compliance (PCI DSS, HIPAA, GDPR)
• Deploying BitLocker across enterprise fleet via Intune, SCCM, or GPO
• Configuring TPM-based encryption with PIN or USB startup key for enhanced security
• Managing BitLocker recovery keys in Active Directory or Azure AD

Do not use this skill for Linux disk encryption (use LUKS/dm-crypt) or macOS (use FileVault).

Prerequisites

• Windows 10/11 Pro, Enterprise, or Education edition
• TPM 2.0 chip (recommended; TPM 1.2 supported with limitations)
• UEFI firmware with Secure Boot enabled (recommended)
• Separate system partition (200 MB minimum, created automatically by Windows installer)
• Active Directory or Azure AD for recovery key escrow

Workflow

Step 1: Verify TPM and System Requirements

# Check TPM status
Get-Tpm
# ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled

# Check TPM version (2.0 required for best compatibility)
(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion

# Check UEFI/Secure Boot
Confirm-SecureBootUEFI
# Returns True if Secure Boot is enabled

# Check BitLocker readiness
$vol = Get-BitLockerVolume -MountPoint "C:"
$vol.VolumeStatus  # Should be "FullyDecrypted"
$vol.ProtectionStatus  # Should be "Off"

Step 2: Configure BitLocker GPO Settings

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption

Operating System Drives:
  - Require additional authentication at startup: Enabled
    - Allow BitLocker without compatible TPM: Disabled (enforce TPM)
    - Configure TPM startup: Allow TPM
    - Configure TPM startup PIN: Allow startup PIN with TPM
    - Configure TPM startup key: Allow startup key with TPM

  - Choose how BitLocker-protected OS drives can be recovered: Enabled
    - Allow data recovery agent: True
    - Configure storage of recovery information to AD DS: Enabled
    - Save recovery info to AD DS for OS drives: Store recovery passwords and key packages
    - Do not enable BitLocker until recovery information is stored: Enabled

  - Choose drive encryption method and cipher strength:
    - OS drives: XTS-AES 256-bit (Windows 10 1511+)
    - Fixed drives: XTS-AES 256-bit
    - Removable drives: AES-CBC 256-bit (for cross-platform compatibility)

Fixed Data Drives:
  - Choose how BitLocker-protected fixed drives can be recovered: Enabled
    - Store recovery passwords in AD DS: Enabled

Removable Data Drives:
  - Control use of BitLocker on removable drives: Enabled
  - Configure use of passwords for removable drives: Require complexity

Step 3: Enable BitLocker - Command Line

# Enable BitLocker with TPM-only protector (transparent to user)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
  -TpmProtector -SkipHardwareTest

# Enable BitLocker with TPM + PIN (recommended for laptops)
$pin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
  -TpmAndPinProtector -Pin $pin

# Add recovery password protector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

# Backup recovery key to Active Directory
Backup-BitLockerKeyProtector -MountPoint "C:" `
  -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId

# Encrypt fixed data drives
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 `
  -RecoveryPasswordProtector -AutoUnlockEnabled

Step 4: Deploy via Intune (Enterprise)

Intune → Endpoint Security → Disk encryption → Create Profile

Platform: Windows 10 and later
Profile: BitLocker

Settings:
  BitLocker base settings:
    - Encryption for operating system drives: Require
    - Encryption for fixed data drives: Require
    - Encryption for removable data drives: Require

  Operating system drive settings:
    - Additional authentication at startup: Require
    - TPM startup: Allowed
    - TPM startup PIN: Required (for high-security endpoints)
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD

  Fixed drive settings:
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD

  Assign to: All managed Windows devices (or specific groups)

Step 5: Manage Recovery Keys

# View recovery key on local system
(Get-BitLockerVolume -MountPoint "C:").KeyProtector |
  Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} |
  Select-Object KeyProtectorId, RecoveryPassword

# Retrieve recovery key from Active Directory (requires RSAT)
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} `
  -SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com" `
  -Properties msFVE-RecoveryPassword |
  Select-Object -ExpandProperty msFVE-RecoveryPassword

# Retrieve recovery key from Azure AD
# Azure Portal → Azure AD → Devices → [device] → BitLocker keys
# Or via Microsoft Graph API:
# GET /devices/{id}/bitlockerRecoveryKeys

Step 6: Monitor Encryption Status

# Check encryption status across fleet
manage-bde -status C:

# Expected output for encrypted drive:
#   Conversion Status: Fully Encrypted
#   Percentage Encrypted: 100.0%
#   Encryption Method: XTS-AES 256
#   Protection Status: Protection On
#   Key Protectors: TPM, Numerical Password

# PowerShell compliance check
$vol = Get-BitLockerVolume -MountPoint "C:"
if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") {
    Write-Host "COMPLIANT: BitLocker enabled and fully encrypted"
} else {
    Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)"
}

Key Concepts

| Term | Definition | |------|-----------| | TPM (Trusted Platform Module) | Hardware security chip that stores BitLocker encryption keys and provides measured boot integrity | | XTS-AES 256 | Encryption cipher used by BitLocker; XTS mode provides better protection for disk encryption than CBC | | Recovery Key | 48-digit numerical password used to unlock BitLocker-encrypted drive when TPM authentication fails | | Key Protector | Method used to unlock BitLocker (TPM, TPM+PIN, recovery password, startup key, smart card) | | Used Space Only Encryption | Encrypts only sectors containing data; faster initial encryption but may leave remnant data in free space | | Full Disk Encryption | Encrypts entire volume including free space; slower but more secure for drives that previously contained data |

Tools & Systems

• BitLocker (built-in): Windows full disk encryption feature
• manage-bde.exe: Command-line BitLocker management tool
• BitLocker Recovery Password Viewer: RSAT tool for viewing recovery keys in Active Directory
• MBAM (Microsoft BitLocker Administration and Monitoring): Enterprise BitLocker management (legacy, replaced by Intune)
• Microsoft Intune: Cloud-based BitLocker policy deployment and recovery key management

Common Pitfalls

• Not escrowing recovery keys before encryption: If recovery keys are not saved to AD/Azure AD before encryption, they may be permanently lost if the TPM fails.
• Using TPM-only without PIN: TPM-only mode is transparent but vulnerable to cold boot attacks and evil maid attacks. Add a startup PIN for laptops leaving the office.
• Encrypting used space only on repurposed drives: If a drive previously contained sensitive data, "used space only" encryption leaves deleted data unencrypted in free space. Use full disk encryption for repurposed drives.
• Forgetting removable drives: USB drives and external disks are common data loss vectors. Enforce BitLocker To Go for removable media.
• No pre-provisioning for SCCM deployments: Pre-provision BitLocker during OSD task sequence to encrypt before OS deployment, avoiding the lengthy post-deployment encryption process.