BitLocker operations guide (2024)

Table of Contents
In this article BitLocker PowerShell module BitLocker Control Panel applet Use BitLocker within Windows Explorer Check the BitLocker status Enable BitLocker OS drive with TPM protector OS drive with TPM protector and startup key Data volumes Manage BitLocker protectors List protectors Add protectors Remove protectors Suspend and resume Suspend BitLocker Resume BitLocker Reset and backup a recovery password Disable BitLocker Unlock a drive
  • Article
  • Applies to:
    Windows 11, ✅ Windows 10, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows Server 2016

There are different tools and options to manage and operate BitLocker:

  • the BitLocker PowerShell module
  • the BitLocker drive encryption tools
  • Control Panel

The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They're appropriate to use for automated deployments and other scripting scenarios.
The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks.

This article describes the BitLocker management tools and how to use them, providing practical examples.

BitLocker PowerShell module

The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the BitLocker PowerShell reference article.

The BitLocker drive encryption tools include the two command-line tools:

  • Configuration Tool (manage-bde.exe) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the manage-bde.exe options, see the Manage-bde reference
  • Repair Tool (repair-bde.exe) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console

BitLocker Control Panel applet

Encrypting volumes with the BitLocker Control Panel (select Start, enter BitLocker, select Manage BitLocker) is how many users will use BitLocker. The name of the BitLocker Control Panel applet is BitLocker Drive Encryption. The applet supports encrypting operating system, fixed data, and removable data volumes. The BitLocker Control Panel organizes available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters appear properly in the BitLocker Control Panel applet.

Use BitLocker within Windows Explorer

Windows Explorer allows users to launch the BitLocker Drive Encryption Wizard by right-clicking a volume and selecting Turn On BitLocker. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting Turn on BitLocker, the wizard works exactly as it does when launched using the BitLocker Control Panel.

Check the BitLocker status

To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, manage-bde.exe command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.

Follow the instructions below verify the status of BitLocker, selecting the tool of your choice.

  • PowerShell
  • Command Prompt
  • Control Panel

To determine the current state of a volume you can use the Get-BitLockerVolume cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example:

PS C:\> Get-BitLockerVolume C: | flComputerName : DESKTOPMountPoint : C:EncryptionMethod : XtsAes128AutoUnlockEnabled :AutoUnlockKeyStored : FalseMetadataVersion : 2VolumeStatus : FullyEncryptedProtectionStatus : OnLockStatus : UnlockedEncryptionPercentage : 100WipePercentage : 0VolumeType : OperatingSystemCapacityGB : 1000KeyProtector : {Tpm, RecoveryPassword}

Enable BitLocker

OS drive with TPM protector

The following example shows how to enable BitLocker on an operating system drive using only the TPM protector and no recovery key:

  • PowerShell
  • Command Prompt
  • Control Panel
Enable-BitLocker C: -TpmProtector

OS drive with TPM protector and startup key

The following example shows how to enable BitLocker on an operating system drive using the TPM and startup key protectors.

Assuming the OS drive letter is C: and the USB flash drive is drive letter E:, here's the command:

  • PowerShell
  • Command Prompt
  • Control Panel

If you choose to skip the BitLocker hardware test, encryption starts immediately without the need for a reboot.

Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath E: -SkipHardwareTest

After reboot, the BitLocker preboot screen displays and the USB startup key must be inserted before the operating system can be started:

BitLocker operations guide (10)

Data volumes

Data volumes use a similar process for encryption as operating system volumes, but they don't require protectors for the operation to complete.

  • PowerShell
  • Command Prompt
  • Control Panel

Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password:

$pw = Read-Host -AsSecureString<user inputs password>Add-BitLockerKeyProtector E: -PasswordProtector -Password $pw

Note

The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.

Example: Use PowerShell to enable BitLocker with a TPM protector

Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector

Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456:

$SecureString = ConvertTo-SecureString "123456" -AsPlainText -ForceEnable-BitLocker C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
See Also
Command Line Utility for File EncryptionUse cipher.exe for command line encryption | TechRepublic

Manage BitLocker protectors

The management of BitLocker protectors consists in adding, removing, and backing up protectors.

Managed BitLocker protectors by using the following instructions, selecting the option that best suits your needs.

List protectors

The list of protectors available for a volume (C: in the example) can be listed by running the following command:

  • PowerShell
  • Command Prompt
  • Control Panel
(Get-BitLockerVolume -mountpoint C).KeyProtector

Add protectors

Add a recovery password protector

  • PowerShell
  • Command Prompt
  • Control Panel
Add-BitLockerKeyProtector -MountPoint C -RecoveryPasswordProtector

Add a password protector

A common protector for a data volume is the password protector. In the next example, a password protector is added to a volume.

  • PowerShell
  • Command Prompt
  • Control Panel
Add-BitLockerKeyProtector -MountPoint D -PasswordProtector

Add an Active Directory protector

The Active Directory protector is a SID-based protector that can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the preboot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.

Important

The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.

Note

This option is not available for Microsoft Entra joined devices.

In this example, a domain SID-based protector is added to a previously encrypted volume. The user knows the SID for the user account or group they wish to add and uses the following command:

  • PowerShell
  • Command Prompt
  • Control Panel
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"

To add the protector to a volume, either the domain SID or the group name preceded by the domain and a backslash are needed. In the following example, the CONTOSO\Administrator account is added as a protector to the data volume G.

Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator

To use the SID for the account or group, the first step is to determine the SID associated with the security principal. To get the specific SID for a user account in Windows PowerShell, use the following command:

Get-ADUser -filter {samaccountname -eq "administrator"}

Note

Use of this command requires the RSAT-AD-PowerShell feature.

Tip

Information about the locally logged on user and group membership can be found using: whoami.exe /all.

Remove protectors

  • PowerShell
  • Command Prompt
  • Control Panel

To remove existing protectors on a volume, use the Remove-BitLockerKeyProtector cmdlet. A GUID associated with the protector to be removed must be provided.

The following commands return the list of key protectors and GUIDS:

$vol = Get-BitLockerVolume C$keyprotectors = $vol.KeyProtector$keyprotectors

By using this information, the key protector for a specific volume can be removed using the command:

Remove-BitLockerKeyProtector <volume> -KeyProtectorID "{GUID}"

Note

The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.

Note

You must have at least one unlock method for any BitLocker-encrypted drives.

Suspend and resume

Some configuration changes may require to suspend BitLocker and then resume it after the change is applied.

Suspend and resume BitLocker by using the following instructions, selecting the option that best suits your needs.

Suspend BitLocker

  • PowerShell
  • Command Prompt
  • Control Panel
Suspend-BitLocker -MountPoint D

Resume BitLocker

  • PowerShell
  • Command Prompt
  • Control Panel
Resume-BitLocker -MountPoint D

Reset and backup a recovery password

It's recommended to invalidate a recovery password after its use. In this example the recovery password protector is removed from the OS drive, a new protector added, and backed up to Microsoft Entra ID or Active Directory.

  • PowerShell
  • Command Prompt
  • Control Panel

Remove all recovery passwords from the OS volume:

(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | ` where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ` Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive

Add a BitLocker recovery password protector for the OS volume:

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

Obtain the ID of the new recovery password:

(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword

Note

This next steps are not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.

Copy the ID of the recovery password from the output.

Using the GUID from the previous step, replace the {ID} in the following command and use the following command to back up the recovery password to Microsoft Entra ID:

BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"

Or use the following command to back up the recovery password to Active Directory:

Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"

Note

The braces {} must be included in the ID string.

Disable BitLocker

Disabling BitLocker decrypts and removes any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step.

Disable BitLocker by using the following instructions, selecting the option that best suits your needs.

  • PowerShell
  • Command Prompt
  • Control Panel

Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the following example, the user has three encrypted volumes, which they wish to decrypt.

Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:

Disable-BitLocker

To avoid specifying each mount point individually, use the -MountPoint parameter in an array to sequence the same command into one line, without requiring additional user input. Example:

Disable-BitLocker -MountPoint C,D

Unlock a drive

If you connect a drive as a secondary drive to a device, and you have your BitLocker recovery key, you can unlock a BitLocker-enabled drive by using the following instructions.

In the next example, the D drive is the one to unlock. Select the option that best suits your needs.

  • PowerShell
  • Command Prompt
  • Control Panel
Unlock-BitLocker -MountPoint D -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx

For more information, see Unlock-BitLocker

BitLocker operations guide (2024)
Top Articles
How to Wire Money Online Safely and Easily
5 Ways To Make $50,000 a Year in Passive Income
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Selly Medaline
Latest Posts
Why We Share Our Finances with Our kids
Bill Gates Says He's Happier at 63 Than He Was at 25 Because He Does 4 Simple Things - Thrive Global
Article information

Author: Reed Wilderman

Last Updated:

Views: 6074

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.