Enabling BitLocker on Exchange Servers


The Exchange Preferred Architecture, for both Exchange Server 2013 and Exchange Server 2016, recommends enabling BitLocker on fixed data drives that store Exchange database files. Over the years, there have been a number of questions regarding how BitLocker should be enabled on servers.

However, before we discuss that, I think it is important to provide an overview of BitLocker, as I have found not many are familiar with the technology.

What is BitLocker?

BitLocker is the built-in Microsoft Windows solution for volume encryption that provides enhanced protection against data theft in form of stolen or lost computers or hard disks.

BitLocker was first introduced in Windows Vista and Windows Server 2008. Since the initial release, there have been several improvements made to BitLocker including, encrypting data volumes, encrypting only used disk space, and provisioning flexibility.

By default, BitLocker uses the AES encryption algorithm in cipher block chaining (CBC) mode with a 128-bit (default) or 256-bit key.

For more information, see the BitLocker Overview on Microsoft TechNet.

How can BitLocker be deployed?

There are multiple ways you can deploy BitLocker on Exchange servers.

  1. Encrypt the operating system volume, as well as, the Exchange data volumes utilizing either network unlock, the Data Recovery Agent and PKI infrastructure, or via TPM (recommended approach).
  2. Encrypt the Exchange data volumes only.

To use BitLocker in a FIPS-compliant manner, keep in mind:

  • Trusted Platform Module (TPM) 1.2 is not FIPS-compliant and uses SHA1. You need to use a TPM 2.0 for FIPS compliance.
  • To leverage the Network unlock feature, you need to take into account the core requirements.
  • Microsoft BitLocker Administration and Monitoring (MBAM) cannot be used to manage BitLocker on server operating systems.
  • If you are not using Windows Server 2012 R2 or later as the base operating system, then you cannot use recovery passwords for BitLocker. For more information, see What's New in BitLocker and KB 947249.

Volume Encryption Method

There are two methods for volume encryption:

  1. Encrypt the entire volume. Use this option when you need to encrypt volumes that already contain existing messaging data. With a 3TB disk, it takes more than 8 hours to encrypt the entire disk.
  2. Encrypt only the used space. Use this for new deployments or for new disks where the volumes have no existing data.

Be sure to place the servers in maintenance mode to prevent impact to end users prior to beginning the encryption of an entire volume. You can expect major performance degradation (~90% CPU utilization) and limited free OS volume space (less than ~2GB) while the volume is being encrypted. Also, be sure to deploy BitLocker one server at a time within a DAG to preserve availability.

OS Volume and Exchange Data Volume Encryption Scenario

BitLocker provides the most protection when used with a TPM. The TPM is a hardware component installed in the server and we recommend a TPM 2.0 chip. It works with BitLocker to help protect user data and to ensure that a server has not been tampered with while the system was offline.

Specifically, BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original server.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

  • Checks that the early boot file integrity has been maintained, and helps ensure that there has been no malicious modification of those files, such as with boot sector viruses or rootkits.
  • Enhances protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.
  • Locks the system when it is tampered with. If any monitored files have been modified, the system does not start. This alerts the administrator to the tampering, because the system fails to start as usual. In the event that system lockout occurs, follow the BitLocker recovery process which includes unlocking the system with a password or a USB key.

Important: A TPM can only be used in a physical server deployment. Virtualized servers are not capable of using a TPM. If you encrypt the guest operating system volume, a password or USB key must be used to allow the guest operating system to boot.

Setting up the Environment

The steps below assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist.
    1. Open PowerShell with the appropriate Active Directory permissions.
    2. Execute New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com".
    3. Execute $ExchangeOU = Get-ADOrganizationalUnit -Filter ‘Name -like "Exchange Servers"’.
    4. Execute Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName.
  2. Create group policy object and link it to the Exchange Servers OU.
    1. Open PowerShell with the appropriate Active Directory permissions.
    2. Execute Import-Module grouppolicy (requires RSAT tools to be installed).
    3. Execute New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com
    4. Execute New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName
  3. Install the BitLocker module on the Exchange servers.
    1. Open PowerShell with local administrative privileges.
    2. Execute Install-WindowsFeature BitLocker -Restart.
    3. Reboot the server.
  4. Enable TPM on the Exchange servers.
    1. Refer to your hardware vendor’s BIOS manual for details on how to enable/activate the TPM.
    2. Verify the TPM state by using the Trusted Platform Module Management tool (tpm.msc).
  5. Allow TPM Recovery Information to be stored in Active Directory.
    1. Open the Exchange Management Shell with an account that has the necessary permissions in Active Directory to apply access control entries.
    2. Execute Add-ADPermission $ExchangeOU.DistinguishedName -User "NT AUTHORITY\SELF" -AccessRights ReadProperty,WriteProperty -Properties msTPM-OwnerInformation,msTPM-TpmInformationForComputer -InheritedObjectType Computer -InheritanceType Descendents.
  6. Configure the Bitlocker GPO settings.
    1. Open the Group Policy Management Console (gpmc.msc).
    2. Navigate the hierarchy to the Exchange Servers OU.
    3. Right-click the Exchange Server BitLocker Policy and select Edit.
    4. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.
      1. In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AES 256-bit encryption, select it and click OK.AES128bit
    5. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Operating System Drives.
      1. In the right pane, double-click Require additional authentication at startup. Select the Enabled option. If you want to disable or change any of the authentication methods, do so and click OK.RequireOSAuth
      2. In the right pane, double-click Choose how BitLocker-protected operating system drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives option. Click OK.OSDriveRecovery
      3. In the right pane, double-click Enforce drive encryption type on operating system drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.UsedSpaceOnly
    6. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives
      1. In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.choosefixeddrives
      2. In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.UsedSpaceOnly-FD
    7. Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
      1. In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.TPMBackup
  7. Ensure the group policy is applied to the Exchange servers.
    1. Execute $Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter.
    2. Execute Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}.
  8. Enable OS encryption.
    1. Create a recovery key: manage-bde -protectors -add -RecoveryPassword C:
    2. Execute the following against the operating system drive: manage-bde -on C: –usedspaceonly
  9. Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).
    1. Create a recovery key: manage-bde -protectors -add -RecoveryPassword "C:\ExchangeVolumes\ExVol1"
    2. Execute the following for each Exchange database volume: manage-bde -on "C:\ExchangeVolumes\ExVol1" –usedspaceonly
    3. Execute the following for each Exchange database volume to enable automatic unlock: Enable-BitLockerAutoUnlock -MountPoint "C:\ExchangeVolumes\ExVol1"

    Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

Exchange Data Volume Encryption Scenario

In the situation where a TPM cannot be used (e.g., the server does not have a TPM, or it is virtualized), encrypting the OS volume requires the use of a password or USB key to allow the operating system to boot. As that can be detrimental for a service like Exchange, you could choose not to encrypt the OS volume. Instead, you only encrypt the fixed data volumes. Since the OS volume is not encrypted, the operating system cannot automatically unlock the encrypted volumes on boot. Therefore, one of two things must happen:

  1. An administrator manually enters the recovery key and unlocks each drive after OS boot.
  2. A scheduled task is invoked to unlock the encrypted volumes during OS boot.

The following steps outline how to setup the scheduled task and assume the Exchange Server operating system is Windows Server 2012 R2 or later.

Important: When enabling BitLocker on existing Exchange servers, it is important to place the servers in maintenance mode to prevent the encryption process from affecting the end user experience.

  1. Create an Organizational Unit to contain the Exchange servers, if one does not already exist.
    1. Open PowerShell with the appropriate Active Directory permissions.
    2. Execute New-ADOrganizationalUnit "Exchange Servers" -path "dc=contoso,dc=com".
    3. Execute $ExchangeOU = Get-ADOrganizationalUnit "Exchange Servers".
    4. Execute Get-ADComputer "Exchange Server" | Move-ADObject -TargetPath $ExchangeOU.DistinguishedName.
  2. Create group policy object and link it to the Exchange Servers OU.
    1. Open PowerShell with the appropriate Active Directory permissions.
    2. Execute Import-Module grouppolicy (requires RSAT tools to be installed).
    3. Execute New-GPO -Name "Exchange Server BitLocker Policy" -Domain contoso.com
    4. Execute New-GPLink -Name "Exchange Server BitLocker Policy" -Enforced "yes" -Target $ExchangeOU.DistinguishedName
  3. Create BitLocker scheduled task service account (_bitlockersvc).
    1. Create a service account following your organization’s policy.
  4. Create security group for BitLocker management, placing the security group in a protected container.
    1. Open PowerShell with the appropriate Active Directory permissions.
    2. Execute New-ADGroup -name "Exchange BitLocker Management" -groupscope Universal -path "cn=users,dc=coe,dc=local".
    3. Execute Add-ADGroupMember "Exchange BitLocker Management" -members "_bitlockersvc", "Organization Management".
  5. Install the BitLocker module on the Exchange servers.
    1. Open PowerShell with local administrative privileges.
    2. Execute Install-WindowsFeature BitLocker.
    3. Reboot the server.
  6. Add BitLocker security management group to local administrators group on the Exchange servers.
  7. Grant the BitLocker security management group permissions to access the msFVE-RecoveryPassword AD object. This allows the accounts to access the recovery password.
    1. Open an elevated PowerShell session with Domain Administrator permissions.
    2. Execute $ExchangeOU = Get-OrganizationalUnit "Exchange Servers".
    3. Execute DSACLS $ExchangeOu.DistinguishedName /I:T /G "contoso\Exchange BitLocker Management:CA;msFVE-RecoveryPassword".
  8. Configure the BitLocker GPO settings.
    1. Open the Group Policy Management Console (gpmc.msc).
    2. Navigate the hierarchy to the Exchange Servers OU.
    3. Right-click the Exchange Server BitLocker Policy and select Edit.
    4. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, and open BitLocker Drive Encryption.
      1. In the right pane, double-click Choose drive encryption method and cipher strength. Select the Enabled option. If you want to use AED 256-bit encryption, select it and click OK.
    5. Open Computer Configuration, open Policies, open Administrative Templates, open Windows Components, open BitLocker Drive Encryption, and finally, open Fixed Data Drives.
      1. In the right pane, double-click Choose how BitLocker-protected fixed drives can be recovered. Select the Enabled option. Select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives option. Click OK.
      2. In the right pane, double-click Enforce drive encryption type on fixed drives. Select the Enabled option. Select the Used Space Only encryption option for the encryption type. Click OK.
    6. Open Computer Configuration, open Policies, open Administrative Templates, open System, and open Trusted Platform Module Services.
      1. In the right pane, double-click Turn on TPM backup to Active Directory Domain Services. Select the Enabled option. Click OK.
  9. Ensure the group policy is applied to the Exchange servers.
    1. Execute $Servers = Get-AdComputer -SearchBase $ExchangeOU.DistinguishedName -Filter.
    2. Execute Foreach ($Server in $Servers) {invoke-gpupdate -Computer $Servers.Name -Force -Target Computer}.
  10. Enable data volume encryption (C:\ExchangeVolumes\ExVol1 defines the mount point for an Exchange data volume, replace as appropriate).
    1. Execute the following against each Exchange database volume: Manage-bde -on "C:\ExchangeVolumes\ExVol1" -rp -usedspaceonly.

      Note: Bad disk sectors can result in BitLocker volume encryption failure. For more information, please see Event ID 24588.

  11. Validate recovery keys are stored in Active Directory.
    1. Download the BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory.
    2. Execute Get-BitLockerRecoveryInfo.vbs.
    3. If script does not return any data, backup the recovery keys by downloading and executing BDEAdBackup.vbs.
  12. Create the script that unlocks the volumes when the operating system boots.
    1. Save the below file to your script directory (e.g., c:\bitlocker).

      UnlockDrives.ps1
      $computer = Get-ADComputer $env:computername
      $RecoveryInformations = get-ADObject -ldapfilter "(msFVE-Recoverypassword=*)" -Searchbase $computer.distinguishedname -properties *
      $vols = gwmi win32_encryptablevolume -Namespace "Root\CIMV2\Security\MicrosoftVolumeEncryption"
      $lockedvols = $vols | ? {$_.GetLockStatus().LockStatus -eq 1}
      $vols[0].GetKeyProtectors().VolumeKeyProtectorID
      foreach($lockedvol in $lockedvols)
      {
      $RecoveryInformations | % {$lockedvol.UnlockWithNumericalPassword($_."msFVE-RecoveryPassword")}
      }

      Note: This is a basic script to get you started. You may need to extend the duties of this script to ensure that Microsoft Exchange Diagnostics, Microsoft Exchange Health Manager, and Microsoft Exchange Service Host services are restarted in the event they fail to start while the above script unlocks the data volumes.

  13. Create the scheduled task to run at system start and unlock the volumes, replacing the bold items.
    1. Save the below file to your script directory.
    2. Execute schtasks /create /s $env:computername /ru contoso\_svcexbitlocker /rp <Password> /XML c:\Bitlocker\UnlockDrivesAtStart.xml /TN UnlockDrivesAtStart.

      <?xml version="1.0" encoding="UTF-16"?>
      <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
      <Date>2015-04-16T12:07:14.9465954</Date>
      <Author>contoso\exadmin</</Author>
      <Description>Script unlocks Exchange data drives at OS startup</Description>
      </RegistrationInfo>
      <Triggers>
      <BootTrigger>
      <Enabled>true</Enabled>
      </BootTrigger>
      </Triggers>
      <Principals>
      <Principal id="Author">
      <UserId>contoso\_bitlockersvc</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
      </Principal>
      </Principals>
      <Settings>
      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
      <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
      <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
      <AllowHardTerminate>true</AllowHardTerminate>
      <StartWhenAvailable>false</StartWhenAvailable>
      <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
      <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
      </IdleSettings>
      <AllowStartOnDemand>true</AllowStartOnDemand>
      <Enabled>true</Enabled>
      <Hidden>false</Hidden>
      <RunOnlyIfIdle>false</RunOnlyIfIdle>
      <WakeToRun>false</WakeToRun>
      <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
      <Priority>7</Priority>
      </Settings>
      <Actions Context="Author">
      <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>-Command .\UnlockDrives.ps1</Arguments>
      <WorkingDirectory>DIRECTORY_FOR_UNLOCKDRIVES.PS1</WorkingDirectory>
      </Exec>
      </Actions>
      </Task>

System Changes

It’s important to remember that any of the following system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volumes:

  • Moving the BitLocker-protected drive into a new computer.
  • Installing a new motherboard with a new TPM.
  • Turning off, disabling, or clearing the TPM.
  • Changing any boot configuration settings.
  • Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
  • Applying BIOS/UEFI firmware updates.

As part of your standard operating procedure, it is best to suspend BitLocker encryption (via the Suspend-BitLocker cmdlet) prior to introducing any changes to the server. In addition, be sure to test any hardware and software configuration changes in a lab environment (that has BitLocker enabled) prior to deploying in production.

Also, be sure to develop a standard operating procedure about how to recover in the event the BitLocker recovery must be performed. This will ensure that downtime is minimized. For more information, please see the BitLocker Recovery Guide.

Disk Maintenance Activities

During the server's lifecycle, disks will die. As part of your standard operating procedures, you need to ensure that when a disk is replaced the new volume is formatted and encrypted via BitLocker.

Process before Exchange 2013 CU13 or Exchange 2016 CU2

In the event you are using AutoReseed to recover from failed disks, you have two options: format and encrypt the disks prior to usage, or encrypt after failure.

Format and encrypt the disks prior to usage

In this scenario, your standard operating procedure will be to prevent Disk Reclaimer from formatting hot spare disks. Instead, you will format and encrypt all hot spare disks prior to usage.

  1. Disable Disk Reclaimer on the DAG: Set-DatabaseAvailabilityGroup <DAGName> -AutoDagDiskReclaimerEnabled $false
  2. Format and encrypt all hot spares. Do not assign mount points or drive letters.
  3. As disks fail, AutoReseed will assign the hot spare volumes, replacing the failed volumes, and reseed the afflicted database copies.
  4. Schedule a maintenance window. Replace the failed disks. Format and encrypt.

Encrypt after failure

In this scenario, your standard operating procedure will be to allow Disk Reclaimer to format hot spare disks (default behavior). After the spare is formatted and databases are reseeded, you will encrypt the disk.

  1. As disks fail, AutoReseed allocates, remaps and formats a spare disk.
  2. AutoReseed initiates reseed operations.
  3. Using SCOM, or another operations management tool, you will monitor for events 1127 (initiated reseed of a database) and 826 (completed reseed of a database) that are located in the Microsoft-Exchange-HighAvailability/Seeding crimson channel.
  4. Schedule a maintenance outage for the affected server and encrypt the new volume.

Process after Exchange 2013 CU13 or Exchange 2016 CU2

To ensure that Disk Reclaimer handles spare disks correctly and encrypts them with BitLocker, execute the following once all Mailbox servers in the DAG have been upgraded to either Exchange 2013 CU13 (or later) or Exchange 2016 CU2 (or later):

Set-DatabaseAvailabilityGroup <Name> -AutoDagBitLockerEnabled $true

Alternatively, you can follow the aforementioned process.

Note: If you previously disabled Disk Reclaimer, you will need to enable it again to take advantage of this functionality.

Conclusion

Hopefully this information helps understanding BitLocker encryption and configuring BitLocker for Exchange servers. As indicated, the recommended approach is to use a TPM for storing the recovery information and to allow the operating system to unlock volumes automatically during boot. However, if your servers do not have access to a TPM, you can consider encrypting only the data volumes and crafting a mechanism to ensure that the data volumes unlock at OS boot.

If you have any questions, please do not hesitate to ask.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

Comments (2)
  1. DDog80 says:

    Thanks Ross. Great article! The Exchange Team blog is good stuff. I have some questions if you have time.
    - Is there a performance penalty/overhead when large databases are seeded to a volume if we utilize encryption on 'Used space only' (on the fly) vs 'entire volume' (previously encrypted)?

    - If we're using AutoReseed with JBOD, and encrypting a new disk prior to usage, you mention not to assign mount points. Aren't mount points required by AutoReseed?

  2. - Is there a performance penalty/overhead when large databases are seeded to a volume if we utilize encryption on 'Used space only' (on the fly) vs 'entire volume' (previously encrypted)?

    - If we're using AutoReseed with JBOD, and encrypting a new disk prior to usage, you mention not to assign mount points. Aren't mount points required by AutoReseed?

Comments are closed.

Skip to main content