How to Encrypt your Hyper-V Host Server using the GUI

Back to Blog
20Jul2017

How to Encrypt your Hyper-V Host Server using the GUI

Full disk encryption is becoming more important in the SMB.  I recommend this for every Windows 10 Pro PC, and also for your Windows Servers. Small businesses often have a single physical Hyper-V host server, maybe two. And these are usually located in a network closet or mechanical room, in a small office space.  These aren’t necessarily the most secure locations all the time.  Having your at-rest data encrypted on disk is oftentimes your best insurance against loss or theft, and also against data leakage when you go to retire old systems, etc.

On Windows Server, BitLocker is the IT tool of choice.  We’ve covered how to enable this on individual Windows 10 PC’s in the past.  For Windows Server, the process can be a bit different, depending on what you’re trying to do.  Admins have two options, really (or they can do both).

  1. Encrypt the Hyper-V Host Server (this post)
  2. Encrypt the Guest VMs (follow-up post)

Encrypt the Hyper-V Host Server

I would choose this option in most circumstances to meet compliance requirements in a small office / branch office. Why? Because you really just care about encrypting the physical disks, to protect against loss / theft in many cases. In Windows Server 2012 and 2012 R2, this is the only option I would suggest, unless you’re willing to input a startup PIN every time a VM reboots for updates. More on that later.

Enable BitLocker via the GUI

Most small office/branch offices have a single host server, maybe two, which are frequently just in a workgroup, separate from the domain. Therefore, you probably won’t be setting anything up in Group Policy for this in a small business scenario, just configuring it manually on the server. Further, admins of these deployments will probably be more comfortable accomplishing this task in the GUI than in the command line, so I wanted to cover that process here. From Server Manager, go to Add Roles & Features.  Select BitLocker Drive Encryption.

To enable the GUI features for BitLocker in Windows Server 2012 R2, you need to install two features. Scroll down further to find User Interfaces & Infrastructure > Desktop Experience. This will allow the BitLocker applet to show up in Control Panel. This is not required if you already installed Windows Server 2016 with the Desktop Experience (rather than Core or Nano).

Next, check your computer for a TPM chip. The easiest way to do this is to right-click the start button and open Device Manager. Look for and expand Security Devices, if present. You would see it here. If you don’t see it, you don’t have it.

If you do not have a TPM 1.2 or 2.0 chip on your host, then you will need to enable this group policy setting:

  • Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Double-click the “Require additional authentication at startup” option in the right pane
  • Select “Enabled” and be sure to select the check mark box for: Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive). You can also choose to enforce a PIN in addition to TPM. Just be aware this means someone has to physically enter a PIN at startup (e.g. think about updates/ reboots).

After the requisite items are completed, reboot the server, and then open Control Panel > BitLocker Drive Encryption. You can Turn on BitLocker and follow the wizard to encrypt the server.  You will start with the OS drive, which will require a reboot to begin encryption, after which you can then proceed to the fixed data partitions.

There are slight variations between 2012 R2 and 2016, but in general you should save or print your keys, storing them somewhere safe & secure (not on the same drive you are encrypting), and check the box for BitLocker System Check. You may see an option to encrypt used space only or the full drive in 2012 R2. I always choose to encrypt the whole thing–best not to leave question marks. In Server 2016, use the New encryption mode option.

To check on the status of the encryption, open a command prompt and type:

manage-bde -status

Return to Control Panel > BitLocker Drive Encryption to proceed with encrypting any data disks; you will need to select a method to unlock the drive.  I usually choose Automatic, otherwise there would be manual intervention required after each reboot to unlock this disk.

You will need to save a separate key for this drive. Just be aware of that.  This should complete the process for you on your Hyper-V host.

Technical , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

26Nov

Coming soon to an Azure AD/Microsoft 365 subscription near you: Life without passwords?!

I previously commented when Microsoft released new password guidance, which is backed by their own research as well as that of NIST. A quick recap of that: Require passwords have at least 8 characters. Longer isn't necessarily better, as they cause users to choose predictable... read more
04Sep

Windows Hello for Business: Azure AD Join vs. Hybrid Join

Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound... read more
02Mar

It’s all about your downtime tolerance

Before you go picking the cheapest possible IT solution that meets your business requirements, or on the other side of the equation, adding unnecessary complexity to your network, you first need to consider: What is your downtime tolerance? If you don't answer this critical question,... read more
09May

Three ways to disable basic authentication and legacy protocols in Exchange Online

One of the most common (and often successful) attacks we see in the wild is a simple brute force / password spray against weak accounts. Especially against shared mailboxes. From that foothold, the most common next step attackers will take is to send out spam/phishing... read more
25Jan

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more
18Aug

2016 Essentials Integration: Azure AD & Office 365

This post is part of a series on the Microsoft Cloud Services integrations that are included with Windows Server 2016 Essentials Experience. To begin we will connect our local on-premises Windows Essentials Experience Server to the Microsoft cloud by enabling the Azure Active Directory and Office 365 integrations. Please note that this is... read more
11Dec

Notes from the field: Windows 10 Device Compliance

One of the coolest features in Microsoft 365 is the ability to measure device compliance, and based on that reading, grant, deny or limit access to cloud resources. For mobile devices this works really well, and most compliance policies are fairly simple: make sure the... read more
Unboxing Microsoft Defender for Business: Device-based Conditional Access
09Mar

Unboxing Microsoft Defender for Business, Part 4: Integration with MEM and Conditional Access

Welcome back to this series! Microsoft Defender for Business (MDB) is a huge product with lots of ground to cover. So far we have discussed the Simplified configuration process, Threat & Vulnerability Management, and Attack Surface Reduction Rules. Since we began our series an exciting thing... read more
21Feb

What are the benefits of using Autopilot in Microsoft 365? And, how to configure it.

Autopilot is a "low touch" or "no touch" deployment method that can be leveraged by IT departments to enable self-service computer deployments. Users can basically pick up a new Windows 10 device, sign in, and have all of their applications and data come to them... read more
30Jun

Troubleshooting weird Azure AD Join issues

If you are starting to do more Azure AD Join (or disjoin/rejoin) operations, you may run into some issues at times where the computer reports an error. These can take several forms, but generally the message is, "Sorry dude, but you can't join/register this device." Here... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me