| title | description | ms.topic | ms.date |
|---|---|---|---|
BitLocker operations guide |
Learn how to use different tools to manage and operate BitLocker. |
how-to |
06/18/2024 |
There are different tools and options to manage and operate BitLocker:
- the BitLocker PowerShell module
- the BitLocker drive encryption tools
- Control Panel
The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They're appropriate to use for automated deployments and other scripting scenarios.
The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks.
This article describes the BitLocker management tools and how to use them, providing practical examples.
The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the BitLocker PowerShell reference article.
The BitLocker drive encryption tools include the two command-line tools:
- Configuration Tool (
manage-bde.exe) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of themanage-bde.exeoptions, see the Manage-bde reference - Repair Tool (
repair-bde.exe) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console
Encrypting volumes with the BitLocker Control Panel (select Start, enter BitLocker, select Manage BitLocker) is how many users will use BitLocker. The name of the BitLocker Control Panel applet is BitLocker Drive Encryption. The applet supports encrypting operating system, fixed data, and removable data volumes. The BitLocker Control Panel organizes available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters appear properly in the BitLocker Control Panel applet.
Windows Explorer allows users to launch the BitLocker Drive Encryption Wizard by right-clicking a volume and selecting Turn On BitLocker. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting Turn on BitLocker, the wizard works exactly as it does when launched using the BitLocker Control Panel.
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, manage-bde.exe command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
Follow the instructions below verify the status of BitLocker, selecting the tool of your choice.
To determine the current state of a volume you can use the Get-BitLockerVolume cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example:
PS C:\> Get-BitLockerVolume C: | fl
ComputerName : DESKTOP
MountPoint : C:
EncryptionMethod : XtsAes128
AutoUnlockEnabled :
AutoUnlockKeyStored : False
MetadataVersion : 2
VolumeStatus : FullyEncrypted
ProtectionStatus : On
LockStatus : Unlocked
EncryptionPercentage : 100
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 1000
KeyProtector : {Tpm, RecoveryPassword}With manage-bde.exe you can determine the volume status on the target system, for example:
manage-bde.exe -statusThis command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume.
C:\>manage-bde -status
Volume C: [Local Disk]
[OS Volume]
Size: 1000 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical PasswordChecking BitLocker status with the Control Panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include:
| Status | Description |
|---|---|
| On | BitLocker is enabled for the volume |
| Off | BitLocker isn't enabled for the volume |
| Suspended | BitLocker is suspended and not actively protecting the volume |
| Waiting for Activation | BitLocker is enabled with a clear protector key and requires further action to be fully protected |
If a drive is pre-provisioned with BitLocker, a status of Waiting for Activation displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the Control Panel, PowerShell or manage-bde.exe to add an appropriate key protector. Once complete, the Control Panel updates to reflect the new status.
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector and no recovery key:
Enable-BitLocker C: -TpmProtectormanage-bde.exe -on C:From the BitLocker Drive Encryption Control Panel applet:
-
Expand the OS drive and select the option Turn on BitLocker
-
When prompted, select the option Let BitLocker automatically unlock my drive
-
Back up the recovery key using one of the following methods:
- Save to your Microsoft Entra ID account or Microsoft Account (if applicable)
- Save to a USB flash drive
- Save to a file - the file needs to be saved to a location that isn't on the device itself such as a network folder
- Print the recovery key
-
Select Next
-
Choose one of the options to encrypt used disk space only or encrypt entire drive and select Next
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space. Also known as full disk encryption
Each of the methods is recommended in the following scenarios:
-
Encrypt used disk space only:
- The drive has never had data
- Formatted or erased drives that in the past have never had confidential data that was never encrypted
-
Encrypt entire drive (full disk encryption):
- Drives that currently have data
- Drives that currently have an operating system
- Formatted or erased drives that in the past had confidential data that was never encrypted
[!IMPORTANT] Deleted files appear as free space to the file system, which isn't encrypted by used disk space only. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-
Select an encryption mode and select Next
- New encryption mode
- Compatible mode
[!NOTE] Normally New encryption mode should be chosen, but if the drive will be potentially moved to another device with an older Windows operating system, select Compatible mode
-
Select Continue > Restart now
-
After reboot, the OS performs a BitLocker system check and start encryption
Users can check encryption status using the BitLocker Control Panel applet.
Note
After a recovery key is created, the BitLocker Control Panel can be used to make additional copies of the recovery key.
The following example shows how to enable BitLocker on an operating system drive using the TPM and startup key protectors.
Assuming the OS drive letter is C: and the USB flash drive is drive letter E:, here's the command:
If you choose to skip the BitLocker hardware test, encryption starts immediately without the need for a reboot.
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath E: -SkipHardwareTestmanage-bde.exe -protectors -add C: -TPMAndStartupKey E:
manage-bde.exe -on C:If prompted, reboot the computer to complete the encryption process.
Note
After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
The Control Panel applet doesn't allow enabling BitLocker and adding a startup key protector at the same time. To add a startup key protector, follow these steps:
- From the BitLocker Drive Encryption Control Panel applet, under the OS drive, select the option Change how drive is unlocked at startup
- When prompted, select the option Insert a USB flash drive
- Selecting the USB drive where you want to store the startup key, and select Save
After reboot, the BitLocker preboot screen displays and the USB startup key must be inserted before the operating system can be started:
:::image type="content" source="images/preboot-startup-key.png" alt-text="Screenshot of the BitLocker preboot screen asking for a USB drive containing the startup key.":::
Data volumes use a similar process for encryption as operating system volumes, but they don't require protectors for the operation to complete.
Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password:
$pw = Read-Host -AsSecureString
<user inputs password>
Add-BitLockerKeyProtector E: -PasswordProtector -Password $pwNote
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
Example: Use PowerShell to enable BitLocker with a TPM protector
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtectorExample: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456:
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtectorEncrypting data volumes can be done using the base command:
manage-bde.exe -on <drive letter>or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
Encrypting data volumes using the BitLocker Control Panel works in a similar fashion to encryption of the operating system volumes. Users select Turn on BitLocker within the BitLocker Control Panel to begin the BitLocker Drive Encryption Wizard.
The management of BitLocker protectors consists in adding, removing, and backing up protectors.
Managed BitLocker protectors by using the following instructions, selecting the option that best suits your needs.
The list of protectors available for a volume (C: in the example) can be listed by running the following command:
(Get-BitLockerVolume -mountpoint C).KeyProtector manage-bde.exe -protectors -get C:This information isn't available in the Control Panel.
Add-BitLockerKeyProtector -MountPoint C -RecoveryPasswordProtectormanage-bde.exe -protectors -add -recoverypassword C:From the BitLocker Drive Encryption Control Panel applet, select the volume where you want to add a protector and select the option Back up your recovery key.
A common protector for a data volume is the password protector. In the next example, a password protector is added to a volume.
Add-BitLockerKeyProtector -MountPoint D -PasswordProtectormanage-bde.exe -protectors -add -pw D:From the BitLocker Drive Encryption Control Panel applet, expand the drive where you want to add a password protector and select the option Add password. When prompted, enter and confirm a password to unlock the drive. Select Finish to complete the process.
The Active Directory protector is a SID-based protector that can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the preboot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
Important
The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
Note
This option is not available for Microsoft Entra joined devices.
In this example, a domain SID-based protector is added to a previously encrypted volume. The user knows the SID for the user account or group they wish to add and uses the following command:
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"To add the protector to a volume, either the domain SID or the group name preceded by the domain and a backslash are needed. In the following example, the CONTOSO\Administrator account is added as a protector to the data volume G.
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\AdministratorTo use the SID for the account or group, the first step is to determine the SID associated with the security principal. To get the specific SID for a user account in Windows PowerShell, use the following command:
Get-ADUser -filter {samaccountname -eq "administrator"}Note
Use of this command requires the RSAT-AD-PowerShell feature.
Tip
Information about the locally logged on user and group membership can be found using: whoami.exe /all.
manage-bde.exe -protectors -add -sid <user or group>This option isn't available in the Control Panel.
To remove existing protectors on a volume, use the Remove-BitLockerKeyProtector cmdlet. A GUID associated with the protector to be removed must be provided.
The following commands return the list of key protectors and GUIDS:
$vol = Get-BitLockerVolume C
$keyprotectors = $vol.KeyProtector
$keyprotectorsBy using this information, the key protector for a specific volume can be removed using the command:
Remove-BitLockerKeyProtector <volume> -KeyProtectorID "{GUID}"Note
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
The following commands return the list of key protectors:
manage-bde.exe -status C:The following command removes keys protector of a certain type:
manage-bde.exe -protectors -delete C: -type TPMandPINFrom the BitLocker Drive Encryption Control Panel applet, expand the drive where you want to remove a protector and select the option to remove it, if available.
Note
You must have at least one unlock method for any BitLocker-encrypted drives.
Some configuration changes may require to suspend BitLocker and then resume it after the change is applied.
Suspend and resume BitLocker by using the following instructions, selecting the option that best suits your needs.
Suspend-BitLocker -MountPoint Dmanage-bde.exe -protectors -disable d:You can only suspend BitLocker protection for the OS drive when using the Control Panel.
From the BitLocker Drive Encryption Control Panel applet, select the OS drive and select the option Suspend protection.
Resume-BitLocker -MountPoint Dmanage-bde.exe -protectors -enable d:From the BitLocker Drive Encryption Control Panel applet, select the OS drive and select the option Resume protection.
It's recommended to invalidate a recovery password after its use. In this example the recovery password protector is removed from the OS drive, a new protector added, and backed up to Microsoft Entra ID or Active Directory.
Remove all recovery passwords from the OS volume:
(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
Remove-BitLockerKeyProtector -MountPoint $env:SystemDriveAdd a BitLocker recovery password protector for the OS volume:
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtectorObtain the ID of the new recovery password:
(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPasswordNote
This next steps are not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.
Copy the ID of the recovery password from the output.
Using the GUID from the previous step, replace the {ID} in the following command and use the following command to back up the recovery password to Microsoft Entra ID:
BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"Or use the following command to back up the recovery password to Active Directory:
Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"Note
The braces {} must be included in the ID string.
Remove all recovery passwords from the OS volume:
manage-bde.exe -protectors -delete C: -type RecoveryPasswordAdd a BitLocker recovery password protector for the OS volume:
manage-bde.exe -protectors -add C: -RecoveryPasswordObtain the ID of the new recovery password:
manage-bde.exe -protectors -get C: -Type RecoveryPasswordNote
This following steps are not required if the policy setting Choose how BitLocker-protected operating system drives can be recovered is configured to Require BitLocker backup to AD DS.
Using the GUID from the previous step, replace the {ID} in the following command and use the following command to back up the recovery password to Microsoft Entra ID:
manage-bde.exe -protectors -aadbackup C: -id {ID}Or use the following command to back up the recovery password to Active Directory:
manage-bde.exe -protectors -adbackup C: -id {ID}Note
The braces {} must be included in the ID string.
This process can't be accomplished using the Control Panel. Use one of the other options instead.
Disabling BitLocker decrypts and removes any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step.
Disable BitLocker by using the following instructions, selecting the option that best suits your needs.
Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the following example, the user has three encrypted volumes, which they wish to decrypt.
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
Disable-BitLockerTo avoid specifying each mount point individually, use the -MountPoint parameter in an array to sequence the same command into one line, without requiring additional user input. Example:
Disable-BitLocker -MountPoint C,DDecryption with manage-bde.exe offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
manage-bde.exe -off C:This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete.
BitLocker decryption using the Control Panel is done using a wizard. After opening the BitLocker Control Panel applet, select the Turn off BitLocker option to begin the process. To proceed, select the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process begins.
Once decryption is complete, the drive updates its status in the Control Panel and becomes available for encryption.
If you connect a drive as a secondary drive to a device, and you have your BitLocker recovery key, you can unlock a BitLocker-enabled drive by using the following instructions.
In the next example, the D drive is the one to unlock. Select the option that best suits your needs.
Unlock-BitLocker -MountPoint D -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxFor more information, see Unlock-BitLocker
manage-bde.exe -unlock D: -recoverypassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxFor more information, see manage-bde unlock
You can unlock the drive from the Control Panel or from Explorer. After opening the BitLocker Control Panel applet, select the Unlock drive option to begin the process. When prompted, enter the 48-digit recovery key.