Windows

How to encrypt Hyper-V host with Bitlocker on Windows 2012

There comes a time when putting a server in server room is just one of the steps to protect your privacy. Sometimes it's necessary to make sure that in case of hardware getting stolen or simply protection against unauthorized party having access to physical location is also required. That's where the encryption comes in. There are plenty of options to choose from but Microsoft includes built-in method to protect your server. Best thing about it is that it actually supports Microsoft Hyper-V servers so that encrypting HOST protects hosted servers as well.

Encrypting operating system drive with Bitlocker

Open Server Manager

Choose Add Roles and Features option and press Next on the overview screen.

Choose Role-based or feature-based installation and press Next

Choose option Select a server from the server pool and choose proper server from the list. Confirm selection with Next

On next screen on the Server Roles section skip it by pressing Next making no changes.

On the Features section choose BitLocker Drive Encryption feature and confirm choice to Include management tools installation. If that option doesn't show and Next button is greyed out try to uncheck and check again this option which should unlock further installation.

Choose Add Features option which should select couple of additional options in the features section.

Confirm choice by clicking Install. When installation is done restart server to finish installation of Bitlocker. No encryption process will start.

After server is back online go to Start, type in Bitlocker and find Bitlocker Drive Encryption

The same can be accomplished by going into Control Panel and simply selecting the option Bitlocker Drive Encryption

After opening Bitlocker Drive Encryption control panel application we get to turn on Bitlocker for system drive, as well as any other drives in the system.

Pressing Turn on Bitlocker triggers an option to Save recovery key to a file, or to print it. Since this key is very important it's advised to make multiple copies of the key. Also saving the key is not that easy as Windows will not allow to save the key on the same drive, or any other drive inside root directory. If this key is lost, your chances of recovering the data from drive are minimal.

When done with saving the file or printing it, press Next to follow with encryption process

Finally depending on situation one has to decide whether to encrypt entire drive or used space only. After choosing proper option proceed by pressing Next

Before encryption process is started there's a final confirmation if you really want to encrypt the drive. Make sure the check checkbox Run Bitlocker system check to verify recovery and encryption keys. Press Restart Now to finish Bitlocker initialization.

Until this is done bitlocker encryption won't be started.

After reboot encryption process starts and our drive is now marked as encrypted.

We can also check status of encryption by opening Bitlocker Drive Encryption app. At this point drive C is still being encrypted.

Encrypting Fixed Data Drives with Bitlocker

Adding additional encryption for other drives is much easier process. Simply go Bitlocker Drive Encryption app in control panel and choose Turn on Bitlocker for Fixed Data drives.

When new wizard shows up we just need to choose how we want to unlock this drive. In our case we wanted additional drives to be mounted with system as we already have system drive encrypted. Please be aware that this option is not available if system drive is not encrypted.

Press Next to proceed further

Again we need to save our recovery key so that in case of any problems we can easily decrypt the data.

After the file has been saved press Next. On next question we need to decide whether whole drive needs to be encrypted or just data. Since we already had data on this drive we are encrypting entire drive with Bitlocker. However on new drives it's possible to start with used space only.

Pressing Next takes us to last screen where we need to confirm we want to start encryption process.

Press Start encrypting and enjoy bitlocked drives.

Notes

By default Bitlocker configuration works in a way that involves storing encryption keys inside TPM chip. This protects the data on drives in a way that when drive is removed from the machine it cannot be accessed. However that setup doesn't require any additional PIN or Password to decrypt drive. So on any reboot/start of machine the machine is up and running and ready to be accessed by standard login and password. This protection is enough to keep data secure but some administrators want additional security and require PIN before machine is able to boot up. This requires additional settings.

This post was last modified on %s = human-readable time difference 20:35

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Next How to change DELL iDRAC password remotely »

Previous « PowerShell - How to format Write-Host with multiple colors

Published by

Przemyslaw Klys

Tags: bitlockerhyper-vwindows server

8 years ago

Strengthening Password Security in Active Directory: A PowerShell-Powered Approach
PasswordSolution uses the DSInternals PowerShell module to gather Active Directory hashes and then combines that…
Reporting group membership for critical Active Directory groups
I work a lot with Active Directory-related tasks. One of the tasks is to know…
OfficeIMO – Free cross-platform Microsoft Word .NET library
I've created a cross-platform (Windows, Linux, macOS) Word library based on Open XML SDK that…

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 month ago

Active Directory

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

2 months ago

Active Directory

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 months ago

Office 365

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

11 months ago

Active Directory

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

PowerShell

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…