Back to Details

implementing-disk-encryption-with-bitlocker

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Implementing Disk Encryption with BitLocker

使用BitLocker实现磁盘加密

When to Use

适用场景

Use this skill when:
  • Encrypting Windows endpoints to protect data at rest for compliance (PCI DSS, HIPAA, GDPR)
  • Deploying BitLocker across enterprise fleet via Intune, SCCM, or GPO
  • Configuring TPM-based encryption with PIN or USB startup key for enhanced security
  • Managing BitLocker recovery keys in Active Directory or Azure AD
Do not use this skill for Linux disk encryption (use LUKS/dm-crypt) or macOS (use FileVault).
在以下场景中使用本方案:
  • 对Windows终端进行加密,以满足合规要求(PCI DSS、HIPAA、GDPR)保护静态数据
  • 通过Intune、SCCM或GPO在企业设备群中部署BitLocker
  • 配置基于TPM并结合PIN或USB启动密钥的加密,提升安全性
  • 在Active Directory或Azure AD中管理BitLocker恢复密钥
请勿将本方案用于Linux磁盘加密(请使用LUKS/dm-crypt)或macOS(请使用FileVault)。

Prerequisites

前提条件

  • Windows 10/11 Pro, Enterprise, or Education edition
  • TPM 2.0 chip (recommended; TPM 1.2 supported with limitations)
  • UEFI firmware with Secure Boot enabled (recommended)
  • Separate system partition (200 MB minimum, created automatically by Windows installer)
  • Active Directory or Azure AD for recovery key escrow
  • Windows 10/11专业版、企业版或教育版
  • TPM 2.0芯片(推荐;支持TPM 1.2但存在限制)
  • 已启用Secure Boot的UEFI固件(推荐)
  • 独立的系统分区(最小200MB,由Windows安装程序自动创建)
  • 用于恢复密钥托管的Active Directory或Azure AD

Workflow

操作流程

Step 1: Verify TPM and System Requirements

步骤1:验证TPM和系统要求

powershell
undefined
powershell
undefined

Check TPM status

Check TPM status

Get-Tpm
Get-Tpm

ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled

ManufacturerId, ManufacturerVersion, TpmPresent, TpmReady, TpmEnabled

Check TPM version (2.0 required for best compatibility)

Check TPM version (2.0 required for best compatibility)

(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion
(Get-WmiObject -Namespace "root\cimv2\security\microsofttpm" -Class Win32_Tpm).SpecVersion

Check UEFI/Secure Boot

Check UEFI/Secure Boot

Confirm-SecureBootUEFI
Confirm-SecureBootUEFI

Returns True if Secure Boot is enabled

Returns True if Secure Boot is enabled

Check BitLocker readiness

Check BitLocker readiness

$vol = Get-BitLockerVolume -MountPoint "C:" $vol.VolumeStatus # Should be "FullyDecrypted" $vol.ProtectionStatus # Should be "Off"
undefined
$vol = Get-BitLockerVolume -MountPoint "C:" $vol.VolumeStatus # Should be "FullyDecrypted" $vol.ProtectionStatus # Should be "Off"
undefined

Step 2: Configure BitLocker GPO Settings

步骤2:配置BitLocker组策略(GPO)设置

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption

Operating System Drives:
  - Require additional authentication at startup: Enabled
    - Allow BitLocker without compatible TPM: Disabled (enforce TPM)
    - Configure TPM startup: Allow TPM
    - Configure TPM startup PIN: Allow startup PIN with TPM
    - Configure TPM startup key: Allow startup key with TPM

  - Choose how BitLocker-protected OS drives can be recovered: Enabled
    - Allow data recovery agent: True
    - Configure storage of recovery information to AD DS: Enabled
    - Save recovery info to AD DS for OS drives: Store recovery passwords and key packages
    - Do not enable BitLocker until recovery information is stored: Enabled

  - Choose drive encryption method and cipher strength:
    - OS drives: XTS-AES 256-bit (Windows 10 1511+)
    - Fixed drives: XTS-AES 256-bit
    - Removable drives: AES-CBC 256-bit (for cross-platform compatibility)

Fixed Data Drives:
  - Choose how BitLocker-protected fixed drives can be recovered: Enabled
    - Store recovery passwords in AD DS: Enabled

Removable Data Drives:
  - Control use of BitLocker on removable drives: Enabled
  - Configure use of passwords for removable drives: Require complexity
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption

操作系统驱动器:
  - 启动时要求额外身份验证:已启用
    - 允许在无兼容TPM的情况下使用BitLocker:已禁用(强制使用TPM)
    - 配置TPM启动:允许TPM
    - 配置TPM启动PIN:允许结合TPM使用启动PIN
    - 配置TPM启动密钥:允许结合TPM使用启动密钥

  - 选择BitLocker保护的操作系统驱动器的恢复方式:已启用
    - 允许数据恢复代理:是
    - 配置将恢复信息存储到AD DS:已启用
    - 为操作系统驱动器将恢复信息保存到AD DS:存储恢复密码和密钥包
    - 在存储恢复信息前不启用BitLocker:已启用

  - 选择驱动器加密方法和密码强度:
    - 操作系统驱动器:XTS-AES 256位(Windows 10 1511及以上版本)
    - 固定驱动器:XTS-AES 256位
    - 可移动驱动器:AES-CBC 256位(为了跨平台兼容性)

固定数据驱动器:
  - 选择BitLocker保护的固定数据驱动器的恢复方式:已启用
    - 将恢复密码存储到AD DS:已启用

可移动数据驱动器:
  - 控制可移动驱动器上BitLocker的使用:已启用
  - 配置可移动驱动器的密码使用:要求复杂密码

Step 3: Enable BitLocker - Command Line

步骤3:通过命令行启用BitLocker

powershell
undefined
powershell
undefined

Enable BitLocker with TPM-only protector (transparent to user)

Enable BitLocker with TPM-only protector (transparent to user)

Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 ` -TpmProtector -SkipHardwareTest
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 ` -TpmProtector -SkipHardwareTest

Enable BitLocker with TPM + PIN (recommended for laptops)

Enable BitLocker with TPM + PIN (recommended for laptops)

$pin = ConvertTo-SecureString "123456" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 ` -TpmAndPinProtector -Pin $pin
$pin = ConvertTo-SecureString "123456" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 ` -TpmAndPinProtector -Pin $pin

Add recovery password protector

Add recovery password protector

Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

Backup recovery key to Active Directory

Backup recovery key to Active Directory

Backup-BitLockerKeyProtector -MountPoint "C:" ` -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" ` -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[1].KeyProtectorId

Encrypt fixed data drives

Encrypt fixed data drives

Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 ` -RecoveryPasswordProtector -AutoUnlockEnabled
undefined
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 ` -RecoveryPasswordProtector -AutoUnlockEnabled
undefined

Step 4: Deploy via Intune (Enterprise)

步骤4:通过Intune部署(企业级)

Intune → Endpoint Security → Disk encryption → Create Profile

Platform: Windows 10 and later
Profile: BitLocker

Settings:
  BitLocker base settings:
    - Encryption for operating system drives: Require
    - Encryption for fixed data drives: Require
    - Encryption for removable data drives: Require

  Operating system drive settings:
    - Additional authentication at startup: Require
    - TPM startup: Allowed
    - TPM startup PIN: Required (for high-security endpoints)
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD

  Fixed drive settings:
    - Encryption method: XTS-AES 256-bit
    - Recovery: Escrow to Azure AD

  Assign to: All managed Windows devices (or specific groups)
Intune → Endpoint Security → Disk encryption → Create Profile

平台:Windows 10及更高版本
配置文件:BitLocker

设置:
  BitLocker基础设置:
    - 操作系统驱动器加密:要求
    - 固定数据驱动器加密:要求
    - 可移动数据驱动器加密:要求

  操作系统驱动器设置:
    - 启动时额外身份验证:要求
    - TPM启动:允许
    - TPM启动PIN:要求(针对高安全性终端)
    - 加密方法:XTS-AES 256位
    - 恢复:托管到Azure AD

  固定驱动器设置:
    - 加密方法:XTS-AES 256位
    - 恢复:托管到Azure AD

  分配对象:所有受管理的Windows设备(或特定组)

Step 5: Manage Recovery Keys

步骤5:管理恢复密钥

powershell
undefined
powershell
undefined

View recovery key on local system

View recovery key on local system

(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | Select-Object KeyProtectorId, RecoveryPassword
(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq "RecoveryPassword"} | Select-Object KeyProtectorId, RecoveryPassword

Retrieve recovery key from Active Directory (requires RSAT)

Retrieve recovery key from Active Directory (requires RSAT)

Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} 
  -SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com"
-Properties msFVE-RecoveryPassword | Select-Object -ExpandProperty msFVE-RecoveryPassword
Get-ADObject -Filter {objectClass -eq "msFVE-RecoveryInformation"} 
  -SearchBase "CN=COMPUTER01,OU=Workstations,DC=corp,DC=example,DC=com"
-Properties msFVE-RecoveryPassword | Select-Object -ExpandProperty msFVE-RecoveryPassword

Retrieve recovery key from Azure AD

Retrieve recovery key from Azure AD

Azure Portal → Azure AD → Devices → [device] → BitLocker keys

Azure Portal → Azure AD → Devices → [device] → BitLocker keys

Or via Microsoft Graph API:

Or via Microsoft Graph API:

GET /devices/{id}/bitlockerRecoveryKeys

GET /devices/{id}/bitlockerRecoveryKeys

undefined
undefined

Step 6: Monitor Encryption Status

步骤6:监控加密状态

powershell
undefined
powershell
undefined

Check encryption status across fleet

Check encryption status across fleet

manage-bde -status C:
manage-bde -status C:

Expected output for encrypted drive:

Expected output for encrypted drive:

Conversion Status: Fully Encrypted

Conversion Status: Fully Encrypted

Percentage Encrypted: 100.0%

Percentage Encrypted: 100.0%

Encryption Method: XTS-AES 256

Encryption Method: XTS-AES 256

Protection Status: Protection On

Protection Status: Protection On

Key Protectors: TPM, Numerical Password

Key Protectors: TPM, Numerical Password

PowerShell compliance check

PowerShell compliance check

$vol = Get-BitLockerVolume -MountPoint "C:" if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") { Write-Host "COMPLIANT: BitLocker enabled and fully encrypted" } else { Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)" }
undefined
$vol = Get-BitLockerVolume -MountPoint "C:" if ($vol.ProtectionStatus -eq "On" -and $vol.VolumeStatus -eq "FullyEncrypted") { Write-Host "COMPLIANT: BitLocker enabled and fully encrypted" } else { Write-Host "NON-COMPLIANT: BitLocker status - Protection: $($vol.ProtectionStatus), Volume: $($vol.VolumeStatus)" }
undefined

Key Concepts

核心概念

TermDefinition
TPM (Trusted Platform Module)Hardware security chip that stores BitLocker encryption keys and provides measured boot integrity
XTS-AES 256Encryption cipher used by BitLocker; XTS mode provides better protection for disk encryption than CBC
Recovery Key48-digit numerical password used to unlock BitLocker-encrypted drive when TPM authentication fails
Key ProtectorMethod used to unlock BitLocker (TPM, TPM+PIN, recovery password, startup key, smart card)
Used Space Only EncryptionEncrypts only sectors containing data; faster initial encryption but may leave remnant data in free space
Full Disk EncryptionEncrypts entire volume including free space; slower but more secure for drives that previously contained data
术语定义
TPM (Trusted Platform Module)硬件安全芯片,用于存储BitLocker加密密钥并提供测量启动完整性
XTS-AES 256BitLocker使用的加密算法;XTS模式相比CBC模式为磁盘加密提供更好的保护
Recovery Key48位数字密码,当TPM身份验证失败时用于解锁BitLocker加密的驱动器
Key Protector用于解锁BitLocker的方式(TPM、TPM+PIN、恢复密码、启动密钥、智能卡)
Used Space Only Encryption仅加密包含数据的扇区;初始加密速度更快,但可能在空闲空间中留下残留数据
Full Disk Encryption加密整个卷包括空闲空间;速度较慢,但对于曾存储敏感数据的驱动器更安全

Tools & Systems

工具与系统

  • BitLocker (built-in): Windows full disk encryption feature
  • manage-bde.exe: Command-line BitLocker management tool
  • BitLocker Recovery Password Viewer: RSAT tool for viewing recovery keys in Active Directory
  • MBAM (Microsoft BitLocker Administration and Monitoring): Enterprise BitLocker management (legacy, replaced by Intune)
  • Microsoft Intune: Cloud-based BitLocker policy deployment and recovery key management
  • BitLocker(内置):Windows全盘加密功能
  • manage-bde.exe:命令行BitLocker管理工具
  • BitLocker Recovery Password Viewer:用于在Active Directory中查看恢复密钥的RSAT工具
  • MBAM (Microsoft BitLocker Administration and Monitoring):企业级BitLocker管理工具(旧版,已被Intune取代)
  • Microsoft Intune:基于云的BitLocker策略部署和恢复密钥管理平台

Common Pitfalls

常见误区

  • Not escrowing recovery keys before encryption: If recovery keys are not saved to AD/Azure AD before encryption, they may be permanently lost if the TPM fails.
  • Using TPM-only without PIN: TPM-only mode is transparent but vulnerable to cold boot attacks and evil maid attacks. Add a startup PIN for laptops leaving the office.
  • Encrypting used space only on repurposed drives: If a drive previously contained sensitive data, "used space only" encryption leaves deleted data unencrypted in free space. Use full disk encryption for repurposed drives.
  • Forgetting removable drives: USB drives and external disks are common data loss vectors. Enforce BitLocker To Go for removable media.
  • No pre-provisioning for SCCM deployments: Pre-provision BitLocker during OSD task sequence to encrypt before OS deployment, avoiding the lengthy post-deployment encryption process.
  • 加密前未托管恢复密钥:如果在加密前未将恢复密钥保存到AD/Azure AD,当TPM故障时可能永久丢失密钥。
  • 仅使用TPM而不设置PIN:仅TPM模式对用户透明,但易受冷启动攻击和“邪恶女仆”攻击。对于带出办公室的笔记本电脑,应添加启动PIN。
  • 对重新利用的驱动器仅加密已使用空间:如果驱动器曾存储敏感数据,“仅已使用空间”加密会在空闲空间中留下未加密的已删除数据。对重新利用的驱动器应使用全盘加密。
  • 忽略可移动驱动器:USB驱动器和外部磁盘是常见的数据丢失载体。强制对可移动媒体使用BitLocker To Go。
  • SCCM部署时未预配置:在OSD任务序列期间预配置BitLocker,在部署操作系统前进行加密,避免部署后冗长的加密过程。