Information Technology Reference
In-Depth Information
■
TPM and startup key
■
TPM and pin and startup key
■
AD DS (data drives only)
enabling BitLocker encryption of the operating system drive
You can enable BitLocker from the command line, with the manage-bde command, or with
the Windows PowerShell Enable-BitLocker cmdlet.
NOTE
USING THE BITLOCKER DRIVE ENCRYPTION CONTROL PANEL
When you install the BitLocker feature in Windows Server 2012 r2, the control panel
application is not normally visible until you encrypt your first volume unless you have
the Desktop experience feature installed (you normally would not, except on a remote
Desktop Session host computer). If you have Desktop experience installed, you can use the
BitLocker Drive encryption control panel application for your first volume encryption.
BitLocker works best with a TPM of at least version 1.2. This hardware encryption module
works with BitLocker to do full volume encryption. If the hardware changes in any signifi-
cant way, BitLocker will not recognize an encrypted volume. If the encrypted volume is the
operating system volume, Windows Server can't boot.
Suspending BitLocker
Whenever you need to make changes to the hardware or BIOS of a BitLocker-protected
server, or install system updates, you should suspend BitLocker on the operating system
drive to ensure that you can boot after the change. You can suspend BitLocker for a single
restart (the default) or for more than a single restart by using the -RebootCount parameter.
When BitLocker is suspended, the data on the volume is not decrypted; instead, the BitLocker
encryption key is available to everyone in the clear. New data written to the volume is still
encrypted, and BitLocker does not do a system integrity check on startup, allowing you to
start Windows Server even though there has been a change that would have normally trig-
gered an integrity check. To suspend BitLocker, use the BitLocker Drive Encryption control
panel item or use the Suspend-BitLocker cmdlet. For a suspension on the C: drive of three
restarts, use this:
Suspend-BitLocker -MountPoint C: -RebootCount 3
If you specify a RebootCount of 0, BitLocker is suspended until you resume BitLocker
protection by using the Resume-BitLocker cmdlet.
Locking or unlocking BitLocker volumes
You can lock a BitLocker volume to prevent any access to the volume by using the
Lock-BitLocker cmdlet. The volume remains locked until it is unlocked with the
Unlock-BitLocker cmdlet. Operating system volumes can't be locked.
