Skip to main content

Key Considerations for Deploying BitLocker on EC2 Windows Instances

Checo3/28/26About 2 minAWSWindowsAWSEC2WindowsBitLockerSerial Console

Key Considerations for Deploying BitLocker on EC2 Windows Instances

Enabling BitLocker system drive encryption on EC2 Windows instances is feasible, but the risks are higher than on physical machines. The key issue is that EC2 typically lacks a traditional TPM, so after encrypting the system drive, a password is required during the boot phase, and the standard console may not provide a reliable input channel.

Risk Points

If you enable BitLocker directly on the C drive and reboot, you may encounter:

  • The instance status shows running, but RDP cannot connect.
  • The boot phase is waiting for a BitLocker password or recovery key.
  • The console shows a black screen or cannot accept input.
  • The workload is unavailable for an extended period, and recovery is only possible through snapshot/AMI rollback.

Therefore, you must first verify that the EC2 serial console is available.

Pre-Operation Preparation

  • Create an AMI or EBS snapshot.
  • Perform a complete rehearsal on a test instance.
  • Record and securely store the recovery key offline.
  • Confirm acceptance of a reboot and brief downtime window.

Enable Serial Console SAC

Run the following in an administrator PowerShell session:

bcdedit /ems '{current}' on
bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200

bcdedit /set '{bootmgr}' displaybootmenu yes
bcdedit /set '{bootmgr}' timeout 15
bcdedit /set '{bootmgr}' bootems yes

shutdown -r -t 0

After rebooting, confirm through the EC2 console via "Connect -> EC2 Serial Console" that you can access the boot interface. If the serial console is not available, do not proceed with encrypting the system drive.

Install BitLocker Feature

Add BitLocker via Server Manager, or use PowerShell:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools
Restart-Computer

Configure Boot Without TPM

Run gpedit.msc and navigate to:

Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives

Enable "Require additional authentication at startup" and check "Allow BitLocker without a compatible TPM".

Encrypt Data Drives

For data drives, test first:

  1. Right-click the data drive and enable BitLocker.
  2. Choose password unlock.
  3. Save the recovery key.
  4. Configure auto-unlock after encryption completes.

Without auto-unlock, the workload may become unavailable after every reboot because the data drive is locked.

Encrypt the System Drive

Enable BitLocker on the C drive, choose password unlock, save the recovery key, and run the BitLocker system check.

After rebooting:

  1. RDP is temporarily unavailable.
  2. Connect to the EC2 serial console.
  3. At the black screen, enter the BitLocker password and press Enter.
  4. Windows unlocks and continues booting.
  5. Restore RDP after the system finishes booting.

Summary

The key to using BitLocker on EC2 Windows is not clicking "Enable Encryption" — it's whether you can unlock during the boot phase.

You must:

  • Create an AMI/snapshot before encrypting.
  • Enable and verify the EC2 serial console first.
  • Save the recovery key.
  • Configure auto-unlock for data drives.
  • Rehearse the complete reboot process in a test environment first.

If you only need static EBS encryption in the cloud, prioritize using EBS encryption. BitLocker is more suitable for BYOL or specific compliance scenarios.

Edit this page
Last Updated:
Contributors: sergioperezcheco
© 2026 Checo's Blog. All rights reserved.
Copyright © 2026 Checo