Skip to content

Step by Step : Securing Drives using Bitlocker in Windows Server 2012 R2

July 29, 2014

After my long post about NAP technology step by step, this time lets go through another highly recommended feature that you can deploy in your infrastructure, which is Bitlocker.

BitLocker is a drive encryption technology that enables a user to encrypt an entire hard drive to protect it from unauthorized access attempts. 

BitLocker was introduced in Windows Vista and Windows 2008. BitLocker is available on select versions of the Windows operating system.

BitLocker has the following characteristics.

  • BitLocker can encrypt an entire hard drive or only the utilized parts of a hard drive.
  • BitLocker can be combined with EFS.
  • BitLocker protects the integrity of the Windows startup process.
  • Some BitLocker features usable when Trusted Platform Module (TPM) is available on the computer.

In this demo, i will go through a step by step how to secure your data drives using Bitlocker in Server 2012 R2

In our 1st step, we need to deploy group policy before we start implementing Bitlocker

1 – On your Domain Server, in my case, i will be using my OSI-ADDS01 Domain Server in which is located in my Hyper-V.

Open Group Policy Management, expend osi.local, right-click the Default Domain Policy, and then click Edit


2 – In the Group Policy Management Editor console, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand BitLocker Drive Encryption, and then click Fixed Data Drives.

Then in the right pane, double-click the Choose how BitLocker-protected fixed drives can be recovered setting…


3 – In the Choose how BitLocker-protected fixed drives can be recovered interface, click Enabled.

Click the checkbox next to the Save BitLocker recovery information to AD DS for fixed data drives, then click the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option, and then click OK


4 – Next, log in to another Server, which is my case i will log in to my previous OSI-NPS Server (for those who follow my blog you all should remember that my OSI-NPS Server i used for my NAP deployment…)

Before we start enable the Bitlocker, on the OSI-NPS please run the gpupdate /force command

Then, open Server Manager, click Manage, and then click Add Roles and Features, click Next until you get Select features interface

In the Select features interface, click BitLocker Drive Encryption and then click Next


5 – In the Confirm installation selections interface, click Install, wait for few minutes then Restart your Server…



6 – Once your Server restart, open This PC explorer and right click F: Drive (any partition that you want to enable Bitlocker), then on the Menu click Turn on Bitlocker


7 – In the Choose how you want to unlock this drive interface, click Use a password to unlock the drive, then type your password and then click Next.


8 – In the How do you want to back up your recovery key interface, click Save to a file


9 – In the Save BitLocker recovery key as window, navigate to Desktop, and then click Save


10 – In the BitLocker Drive Encryption dialog box, click Yes to save the recovery key to the computer…


11 – On the Are you ready to encrypt this drive window, click Start encrypting


12 – Click Close when the encryption is complete…


13 – Next open PowerShell and the type manage-bde -status, verify that F: volume should show “Protection On” as the protection status…


14 – Next what i’m going to is to move my F: Drive in OSI-NPS Server to my OSI-ADDS01 domain Server (the purpose is to simulate the Bitlocker function)…

Since this demo running on the Hyper-V, open Hyper-V console, under Virtual Machines, right click OSI-NPS vm then click Settings



15 – In the left pane of the Settings interface, click SCSI Controller then click Remove


16 – the click OK


17 – Next, go to OSI-ADDS Hyper-V Settings, click SCSI Controller, then on the right pane click Hard Drive the click Add


18 – next click Browse


19 – then locate Bitlocker.vhdx (which is this VM refer to F: Drive on the OSI-NPS Server), and then click OK


20 – Next, open Server Manager on the OSI-ADDS01 Server, click Tools and click Computer Management


21 – In the Computer Management interface, click Disk Management, in the list of disks, right-click Disk 1, and then click Online


22 – Next, open This PC explorer on the OSI-ADDS01 server, you should have Local Disk (F:) on the explorer, then right click F: and choose Unlock Drive…


23 – on the Bitlocker (F:) menu, under Enter password to unlock this drive:, click More Options


24 – Next, on the OSI-ADDS01 server, open Active Directory Users and Computers, click View, and then click Advanced Features


25 – right click osi.local, and then click Find


26 – In the Find Users, Contacts, and Groups interface, select Computers from the Find drop-down menu, in the Computer name field, type NPS, and then click Find Now and double-click NPS


27 – On the NPS Properties, Click Bitlocker Recovery tab, notice the Password ID…


28 – Under details, copy the whole set of password


29 – then in the Bitlocker (F:) windows, paste the 48-digit recovery password that we copied just now into the recovery key field, and then click Unlock


30 – Go back to the This PC explorer and note that the drive F has an unlocked icon. The drive is now unlocked and data can be recovered.


One Comment
  1. han permalink

    It was hard to find bitlocker implementation on 2012 in AD. Thanks.
    But did you use the recovery key to show how to recover from the recovery key stored in AD. Wouldn’t you use the unlock password?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: