Microsoft Azure AZ-801 — Section 7: Secure Windows Server storage
44. Manage Windows BitLocker Drive Encryption (BitLocker)
Let’s talk now about BitLocker Drive encryption.
Now, BitLocker is nothing new. We’ve had BitLocker ever since Windows Vista came out back in the year 2008. However, it is a very it’s still a very powerful capability and feature that can be used as a full disk encryption, which means it can basically encrypt our partitions for us on our hard drives. And that way nobody could access our data offline if they booted the hard drives up onto a different computer or a different operating system. It’s going to definitely add a layer of protection to our data.
On server, there is a little difference in managing it, like on a client operating system. Normally what you could do is just go to control panel here and then you would see that there would be a BitLocker option right here in control panel. You would also see on a client operating system, you could just right click a drive and you could use BitLocker that way. But on server it’s different. You have to actually go to Server Manager here and go to manage add roles and features. We’ll click Next, next, next. All right. And then go to the features page here. All right. And you’ll see you have BitLocker drive encryption.
So, we’ll add that. There’s also a little feature here called BitLocker Network Unlock. This is going to let you basically be able to automatically unlock devices in a domain across the network, which is kind of neat. But anyway, I’m going to go ahead and click Next. Next, next. Fine. It says select the role services. So, you have the deployment server. Deployment Server provides the full functionality of the Windows deployment services, which you can use to configure or remotely install Windows operating systems if you want.
This is if you wanted to be able to manage the BitLocker services remotely and then the transport server, which is going to let you have the, the Windows deployments services for the networking side of being able to manage keys and all that network wise. So, that’s fine. We’ll go ahead and click Next. And at that point we’re going to click Install. I’ll give that just a moment. I’ll just pause the recording while that’s installing. All right. As you can see, it is going to require a restart. So, I’m going to hit Close and I’m going to go ahead and allow the server to restart. You know, after the reboot, you can see that if I go to control panel now. I can see that BitLocker Drive encryption is now available and I’m not going to actually turn it on in this video. I just wanted to show you how we could get it installed and set up here and it is now officially installed.
45. Manage and recover encrypted volumes
For managing BitLocker on a server, obviously, first thing you’ve got to do is install the BitLocker services, which I’ve already done here on this NYC-DC1. You can see that it is already installed on the system. But now I want to show you a problem we’re going to run into in my case.
I’m going to go to control panel here and you’re going to notice that if I go right here to BitLocker drive encryption and I’m going to try to turn on BitLocker drive encryption for my C drive here and I’m going to get an error, and then the error is going to tell me that I have to have a trusted platform module, which is basically a chip that is going to allow me to store encryption key information. And this is something Microsoft has been pushing on all the operating systems is they want you to have a TPM chip in your computer. This virtual machine does not have a TPM chip. There are ways to create what’s called a virtual TPM, but I’m not getting into that here.
What I’m going to do is I’m going to use a group policy to disable this requirement. So, I want to show you how we can do that. So, I’m going to close out of this and we’re going to go to Server Manager. We’re going to go Tools and we’re going to open up Group Policy Management. All right. Once we’re there, we’re just going to create a GPO called Disable TPM Requirement. And I’m going to go ahead and edit that. From there, I’m going to go under Computer Config Policies. We’re going to go to Administrative Templates. All right. And then we’ll go to Windows components and you’ll see BitLocker drive encryption. And we’re going to choose operating system drives and there is a policy called require additional authentication at startup. We’re going to double click on that and then we’re going to click to enable this policy and make sure that checkbox right there is checked off, which is allow BitLocker without compatible TPMs. So, that is checked, right? So we’re going to click Okay and we’re going to click Okay, I’m just going to attach this to the domain click Okay and then I’m going to go to command prompt because I don’t want to wait and I’m going to run gpupdate/force. So, let’s run that on this domain controller here which should allow this policy to take effect relatively quickly. Looks like it. Computer policy has updated successfully. That’s the one we care about. So, we’ll close out of that.
Now, let’s go back into control panel. So, we’ll go down here. Search for control panel, open that up and then we’re going to go to BitLocker, drive encryption and turn on BitLocker. As you can see, I did not get the error this time, so it’s going to allow me to encrypt this drive. It wants to know if I want to use a USB drive to store my encryption key information or just use a password as my encryption key. In my case, I’m going to use a password. So, we’ll just put the password in here that I want to use. All right. Then we’re going to click Next. You know, I want to save the USB drive. This is recovery key.
The recovery key is a special key. It’s a 48-digit long number to where it’s sort of a failsafe, if anything failed, like if you really did have a TPMs chip and it failed or if you forgot your password, you could recover from this key so I could save it on a flash drive. Save it to a file. Store it somewhere. Print it. Print it out. It’s almost like save it to a file. And I’ll just I’m just going to store it over on my server.
So, \\nyc-svr1\c$. All right. And let’s try that again, \\nyc-svr1\c$. For some reason it is not making a connection to that server right now. And I will have to figure that out. See \\nyc-dc1\c$. All right. We’ll just do that. So, click Next. I can troubleshoot why It’s not connecting my server later. So, then it says Choose how much of your drive to encrypt. So, encrypt used disk space only faster in best for neutral PCs or encrypt the entire drive slower but best PCs and drives already.
Now, the idea here would be if you had an older drive and you’ve deleted a bunch of data or, maybe, formatted the hard drive, there are still traces of that data on the drive. If you if you choose to encrypt the entire hard drive, it’ll encrypt that old space as well, which means anything that might have traces of old data could never be deleted at that point. In this case, I’m just going to say encrypt use disk space just to make this a little faster. So, I’m going to click Next. The next thing is, do you want to use the newer level of encryption, which is not all that new, considering now that it is. It’s been around since the year 2015, November of 2015. The newer encryption is a stronger based encryption than the older. So, it’s advanced encryption standards. It’s a newer encryption mode.
We’re going to choose that. The only reason you would ever use that if you had to pop this hard drive into something, a machine that was below the year below November 2015, like Windows 10, do you want to do a BitLocker system check right now? So it’s going to check to ensure it BitLocker Read and recovery encryption keys BitLocker Restart the computer before encrypting. I’m going to turn that off just to speed this process up. All right. At that point, BitLocker is now encrypting my drive. It’s telling you that the encryption is in progress. It doesn’t. It doesn’t really take very long. So, usually just takes a moment or so for it to get done encrypting.
What I do want to show you now, while that’s happening, I’m going to go to File Explorer here and let’s look at my recovery key file that I created here. Here it is right here. So, this BitLocker recovery key. So, this is that 48-digit long number. So, if you got locked out of the drive, you could use that 48-digit long number. It’s not a good idea to store this key on the same drive that you’re encrypting. That’s why generally I like to store it over on a server. You can actually store it into Azure as well. But I’m not going to get into that right now in this video. But ultimately, you want to keep that recovery key safe. And if you ever got locked out of the drive, you could always use that key to unlock the drive. That’s the idea. The drive will identify itself usually by these digits that you see right here. And then you would use this key to unlock it.
If you forgot your password or if you stored your key on a USB drive and it got broke, if it’s stored in a TPN chip and the TPM chip got damaged, there’s various things that could happen. You could recover that way and. All right.
So, this thing is still encrypting. It’s usually doesn’t take too long. The server didn’t have a lot of memory. So, in my case, it’s taking a little longer than expected. But I’m going to go ahead and just pause the recording while that’s encrypting. All right.
Oonce it was done encrypting, I just triggered a restart on my server here and I wanted to show you what that looks like. I’m in Hyper-V here and my server is trying to reboot and you’ll notice that immediately came to the BitLocker Drive encryption screen. So, it’s going to allow me to enter in my password and then I could also hit escape if I want to enter in that recovery key, that 48-digit long number. But I’m going to go ahead and put my password in here. And put that in and let’s see if Windows will just boot right up for us here which it looks like it is. So, it was able to successfully unlock the drive. All right. I’m putting in my credentials. Of course, the screen’s a little bit small there, but once you get logged on, it will go to full screen here. And there it goes. So, you’re going to see it is allowing me to successfully boot my server.
Now, keep in mind, if you would have encrypted just another drive, that was not the operating system drive, I wouldn’t have had to deal with all that. You would still be able to boot up your operating system, your other drives. It doesn’t stop you when you’re trying to log on. If you’re just encrypting like a driver, an e drive or something like that. But as you can see, BitLocker drive encryption is now officially enabled. And if I wanted to disable that, if I wanted to remove all of this stuff, removing it essentially is about the same process as enabling it. Right? So, I do have the ability to go in and I can go back into control panel. And I can I can remove it. I could also go into manage add roles and features, and I could strip away BitLocker drive encryption that way as well. I just have turn off BitLocker to say, turn off BitLocker and it’s going to decrypt the drive and I am going to do that in my case just because I’m going to, I’m just trying to speed my virtual machine up as much as I can since it doesn’t have a lot of memory. But there you go. That is how you can manage BitLocker on a server.