bitlocker windows

How to enable BITLOCKER on EXCHANGE servers

The Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files for Exchange Server 2013 and Exchange Server 2016.

What is BitLocker?

BitLocker is the built-in Microsoft Windows feature for full disk encryption that offers enhanced protection against data theft on stolen or lost computers or hard disks.

BitLocker first appeared in Windows Vista and Windows Server 2008. Since then, BitLocker functionality has expanded and now includes encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

Windows BitLocker enables data protection on volumes with 128-bit (default) and 256-bit key using AES (Advanced Encryption Standard) encryption algorithm.

How to deploy BitLocker?

BitLocker can be deployed on Exchange servers using the following methods.

  1. Encrypting the operating system volume, as well as, the Exchange data volumes either via TPM (recommended) or with the help of network unlock, the Data Recovery Agent and PKI infrastructure.
  2. Only encrypting the Exchange data volumes.

To use BitLocker in a FIPS-compliant manner, note that:

In case that you are not using Windows Server 2012 R2 or later as the base OS, then you cannot utilize recovery passwords for BitLocker. For more details, see What’s New in BitLocker and KB 947249.

Volume Encryption Method

There are two approaches for volume encryption:

  1. Encrypting the entire volume. This option works best when you need to encrypt volumes which already comprise existing messaging data. With a 3TB disk, it will take more than 8 hours to encrypt the disk completely.
  2. Encrypting the used space only. This method works for new deployments or for new disks without existing data.

Prior to beginning the encryption of an entire volume, make sure to set the servers in maintenance mode to prevent impact to end users. Performance can significantly deteriorate (~90% CPU usage) and free OS volume space will be limited (less than ~2GB) while the volume is being encrypted. Remember to deploy BitLocker on one DAG server at a time to ensure availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.

Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist. Open PowerShell with the appropriate Active Directory permissions.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"

$ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’

Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName

2. Create group policy object and link it to the Exchange Servers OU.

Import-Module grouppolicy #RSAT должен быть установлен

New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com

New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName

3. Install the BitLocker module on the Exchange servers.

  • Open PowerShell with local administrative privileges.
  • ExecuteInstall-WindowsFeature BitLocker -Restart.
  • Reboot the server.

4. Enable TPM on the Exchange servers.

  • Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
  • Verify the TPM state by using the Trusted Platform Module Management tool (msc).

5. Allow TPM Recovery Information to be stored in Active Directory.

  • Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
  • Execute the following.
Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents

6. Configure the Bitlocker GPO settings.

  • Open the Group Policy Management Console (gpmc.msc).
  • Navigate the hierarchy to the Exchange Servers OU.
  • Right-click the Exchange Server BitLocker Policy and select Edit.
  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.

In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.

Choose drive encryption method and cipher strength

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
  • In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.

Additional-authentification-at-startup

  • In the right pane, double-clickChoose how BitLocker-protected fixed drives can be recovered. Select the Enabled  Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Choose how BitLocker-protected fixed drives can be recovered

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption

  • Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
  • In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.

Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives

  • In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabledoption. Select the Used Space Only encryption option for the encryption type. Click OK.

Used Space Only encryption option

  • Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
  • In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.

Turn on TPM backup to Active Directory Domain Services

  • Ensure the group policy is applied to the Exchange servers.
$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter
Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}
  • Enable OS encryption.
  • Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
  • Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
  • Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).

Create a recovery key: manage-bde -protectors -add -RecoveryPassword “C:\ExchangeVolumes\ExVol1”

Execute the following for each Exchange database volume: manage-bde -on “C:\ExchangeVolumes\ExVol1” –usedspaceonly

Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock –MountPoint “C:\ExchangeVolumes\ExVol1”

Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

  1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
  2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

  • Create an Organizational Unit to contain the Exchange servers, if one does not already exist.
New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com"
$ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers"
Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath  ExchangeOU.DistinguishedName
  • Create group policy object and link it to the Exchange Servers OU.
Import-Module grouppolicy #RSAT должен быть установлен
New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com
New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName
  • Create BitLocker scheduled task service account (_bitlockersvc).
  • Create security group for BitLocker management, placing the security group in a protected container.
New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local"
Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management"
  • Install the BitLocker module on the Exchange servers.
Install-WindowsFeature BitLocker
  • Reboot the server.
  • Add BitLocker security management group to local administrators group on the Exchange servers.
  • Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.
$ExchangeOU = Get-OrganizationalUnit "Exchange Servers"
DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword"
  • Configure the BitLocker GPO settings.
  • Ensure the group policy is applied to the Exchange servers.
$Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter
Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}

Create the script that unlocks the volumes when the operating system boots.

Save the below file to your script directory (e.g., c:\bitlocker).

UnlockDrives.ps1
$computer = Get-ADComputer $env:computername $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
$vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
$lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
$vols[0].GetKeyProtectors().VolumeKeyProtectorID foreach($lockedvol in $lockedvols)
{
$RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
}
  • Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.

Save the below file to your script directory.

  • Executeschtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

System Changes

It’s important to keep in mind that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

  • Moving the BitLocker-protected drive into a new computer.
  • Installing a new motherboard with a new TPM.
  • Turning off, disabling, or clearing the TPM.
  • Changing any boot configuration settings.
  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
  • Applying BIOS/UEFI firmware updates.

As part of your customary procedure, it’s best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) before introducing any changes to the server. Additionally, make sure to test any hardware and software configuration changes in a lab setting (that has BitLocker enabled) before deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server’s lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

  1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup -AutoDagDiskReclaimerEnabled $false
  2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
  3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
  4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

  1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
  2. AutoReseed initiates reseed operations.
  3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
  4. Schedule a maintenance outage for the affected server and encrypt the new volume.

<Conclusion

We hope that this post will help understanding BitLocker encryption and configuring BitLocker for Exchange servers. As demonstrated, the best approach is to use a TPM for storing the recovery data and to allow the operating system to unlock volumes automatically during boot. If your servers do not have access to a TPM, you can consider encrypting only the data volumes and making a mechanism to ensure that the data volumes unlock at OS boot.

Exchange Architecture recommends enabling BitLocker on fixed data drives that store Exchange database files, both for Exchange Server 2013 and Exchange Server 2016.