BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) (2023)

  • Article
  • 10 minutes to read

Applies to:

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

This article for the IT professional describes how to use tools to manage BitLocker.

BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.

Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.

Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console.

  1. Manage-bde
  2. Repair-bde
  3. BitLocker cmdlets for Windows PowerShell


Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde.exe options, see the Manage-bde command-line reference.

Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the manage-bde.exe -on command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.

Using manage-bde with operating system volumes

Listed below are examples of basic valid commands for operating system volumes. In general, using only the manage-bde.exe -on <drive letter> command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.

A good practice when using manage-bde.exe is to determine the volume status on the target system. Use the following command to determine volume status:

manage-bde.exe -status

This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:

BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) (1)

The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.

manage-bde.exe -protectors -add C: -startupkey E:manage-bde.exe -on C:


After the encryption is completed, the USB startup key must be inserted before the operating system can be started.

(Video) BitLocker Windows 10 Pro: How to setup and enable disk encryption

An alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:

manage-bde.exe -protectors -add C: -pw -sid <user or group>

The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on.

On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using manage-bde.exe. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:

manage-bde.exe -on C:

The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:

 manage-bde.exe -protectors -get <volume>

Using manage-bde with data volumes

Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:

manage-bde.exe -on <drive letter>

or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.

A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.

manage-bde.exe -protectors -add -pw C:manage-bde.exe -on C:


Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.

The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.


If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command:

(Video) Protect Your Data: How to Use Bitlocker Disk Encryption Windows 10, 11 – Step by Step

manage-bde.exe -KeyPackage

can be used to generate a key package for a volume.

The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true:

  • The drive has been encrypted using BitLocker Drive Encryption.

  • Windows doesn't start, or the BitLocker recovery console can't be started.

  • There isn't a backup copy of the data that is contained on the encrypted drive.


Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.

The following limitations exist for Repair-bde:

  • The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.

  • The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.

For more information about using repair-bde, see Repair-bde.

BitLocker cmdlets for Windows PowerShell

Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.

  • ADAccountOrGroup
  • ADAccountOrGroupProtector
  • Confirm
  • MountPoint
  • Password
  • PasswordProtector
  • Pin
  • RecoveryKeyPath
  • RecoveryKeyProtector
  • RecoveryPassword
  • RecoveryPasswordProtector
  • Service
  • StartupKeyPath
  • StartupKeyProtector
  • TpmAndPinAndStartupKeyProtector
  • TpmAndPinProtector
  • TpmAndStartupKeyProtector
  • TpmProtector
  • WhatIf
  • Backup-BitLockerKeyProtector
  • Confirm
  • KeyProtectorId
  • MountPoint
  • WhatIf
  • Disable-BitLocker
  • Confirm
  • MountPoint
  • WhatIf
  • Disable-BitLockerAutoUnlock
  • Confirm
  • MountPoint
  • WhatIf
  • Enable-BitLocker
  • AdAccountOrGroup
  • AdAccountOrGroupProtector
  • Confirm
  • EncryptionMethod
  • HardwareEncryption
  • Password
  • PasswordProtector
  • Pin
  • RecoveryKeyPath
  • RecoveryKeyProtector
  • RecoveryPassword
  • RecoveryPasswordProtector
  • Service
  • SkipHardwareTest
  • StartupKeyPath
  • StartupKeyProtector
  • TpmAndPinAndStartupKeyProtector
  • TpmAndPinProtector
  • TpmAndStartupKeyProtector
  • TpmProtector
  • UsedSpaceOnly
  • WhatIf
  • Enable-BitLockerAutoUnlock
  • Confirm
  • MountPoint
  • WhatIf
  • Get-BitLockerVolume
  • MountPoint
  • Lock-BitLocker
  • Confirm
  • ForceDismount
  • MountPoint
  • WhatIf
  • Remove-BitLockerKeyProtector
  • Confirm
  • KeyProtectorId
  • MountPoint
  • WhatIf
  • Resume-BitLocker
  • Confirm
  • MountPoint
  • WhatIf
  • Suspend-BitLocker
  • Confirm
  • MountPoint
  • RebootCount
  • WhatIf
  • Unlock-BitLocker
  • AdAccountOrGroup
  • Confirm
  • MountPoint
  • Password
  • RecoveryKeyPath
  • RecoveryPassword
  • RecoveryPassword
  • WhatIf
  • Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.

    (Video) How to use Bitlocker drive encryption on windows 10 | Bitlocker Drive Encryption | turn on Bitlocker

    A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the Get-BitLockerVolume cmdlet.

    The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.


    Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors:

    Get-BitLockerVolume C: | fl

    To remove the existing protectors prior to provisioning BitLocker on the volume, use the Remove-BitLockerKeyProtector cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.

    A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:

    $vol = Get-BitLockerVolume$keyprotectors = $vol.KeyProtector

    By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector.

    By using this information, the key protector for a specific volume can be removed using the command:

    Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"


    The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.

    Using the BitLocker Windows PowerShell cmdlets with operating system volumes

    Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.

    The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:

    (Video) What is Bitlocker and How to Use Bitlocker Drive Encryption Windows 10 Hindi

    Enable-BitLocker C:

    In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.

    Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest

    Using the BitLocker Windows PowerShell cmdlets with data volumes

    Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as aSecureString value to store the user-defined password.

    $pw = Read-Host -AsSecureString<user inputs password>Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw

    Using an AD Account or Group protector in Windows PowerShell

    The ADAccountOrGroup protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster.


    The ADAccountOrGroup protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes

    To add an ADAccountOrGroup protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\Administrator account is added as a protector to the data volume G.

    Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator

    For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:


    Use of this command requires the RSAT-AD-PowerShell feature.

    get-aduser -filter {samaccountname -eq "administrator"}


    In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.

    The following example adds an ADAccountOrGroup protector to the previously encrypted operating system volume using the SID of the account:

    (Video) Bitlocker Recovery Key

    Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500


    Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.

    Related articles

    • BitLocker overview
    • BitLocker frequently asked questions (FAQ)
    • Prepare your organization for BitLocker: Planning and policies
    • BitLocker: How to enable Network Unlock
    • BitLocker: How to deploy on Windows Server 2012


    Which Windows 10 tools can be used to perform BitLocker encryption? ›

    BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.

    Should I turn on BitLocker Windows 10? ›

    BitLocker will give you peace of mind by keeping your data safe - especially if employees lose their laptops, or if laptops are stolen - providing you with confidence that no data will be compromised. I like that BitLocker allows you to encrypt removable media as well.

    What is BitLocker Drive Encryption Windows 10? ›

    BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

    Which command line tool can be used to manage BitLocker? ›

    In command prompt, type "manage -bde -status" and press Enter. View the status of BitLocker on the drives in the computer.

    How to unlock BitLocker Windows 10? ›

    Unlocking Bitlocker using a Recovery Key File

    To unlock their drives, users must open “This PC” (or “My Computer”, depending on the version of Windows), right click on the encrypted drive icons with the locked yellow padlock icon, click "Unlock Drive" and provide the Password.

    How do I recover my BitLocker key with recovery key ID? ›

    Recovery with BitLocker recovery key ID
    1. In the SafeGuard Management Center, select Tools > Recovery to open the Recovery Wizard.
    2. On the Recovery type page, select BitLocker Recovery key ID (managed) and click Next.
    3. Click [...] to search for a recovery key ID.

    Does Windows 10 automatically turn on BitLocker? ›

    BitLocker Encryption is enabled, by default, on computers that support Modern Standby. This is true regardless of the Windows 10 version (Home, Pro, etc.) is installed.

    What will happen if BitLocker is turned on? ›

    When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.

    Do I want BitLocker on or off? ›

    Bitlocker is a volume encryption feature and this protects your data by encryption in case your physical disk or computer is lost (especially for laptops). It does not impact performance too in modern computers. Thus, I would recommend turning on BitLocker.

    Why is my computer asking for BitLocker recovery key? ›

    Windows will require a BitLocker recovery key when it detects a possible unauthorized attempt to access the data. This extra step is a security precaution intended to keep your data safe and secure.

    Why does my laptop keep asking for BitLocker recovery key? ›

    When BitLocker sees a new device in the boot list or an attached external storage device, it prompts you for the key for security reasons. This is normal behavior.

    Why did BitLocker lock my computer? ›

    A hardware upgrade, firmware update or even a change in the computer's UEFI BIOS may effectively lock you out, making your data inaccessible and the Windows system unbootable.

    How to disable BitLocker in Windows 10 using cmd? ›

    How to Disable Bitlocker for a single volume?
    1. Open Windows Powershell in Administrator mode.
    2. Disable-BitLocker -MountPoint "C:"
    3. Verify the decryption process by using below method. Execute the command: PS C:\> Get-BitlocerVolume -MountPoint "C:" ...
    4. Restart your computer, before proceeding with the image creation process.

    How to decrypt BitLocker drive Windows 10 command line? ›

    Here's how:
    1. Open the Command Prompt as administrator.
    2. Type the following command to unlock your BitLocker drive with 48-digit recovery key: manage-bde -unlock D: -RecoveryPassword YOUR-BITLOCKER-RECOVERY-KEY-HERE. ...
    3. Next turn off BitLocker Encryption: manage-bde -off D:
    4. Now you have unlocked and disabled BitLocker.
    Apr 15, 2019

    How to turn on BitLocker Windows 10 command line? ›

    Select the C:\ (or Windows computer) drive. Right-click the drive that you selected. Click Turn on BitLocker.
    1. Click the Windows Start Menu button.
    2. Open the search box, type Control Panel.
    3. Click System and Security or search BitLocker in the Control Panel window.
    4. Click any option under BitLocker Drive Encryption.
    Jan 13, 2023

    How to unlock BitLocker in Windows 10 without password and recovery key? ›

    How to Unlock BitLocker Without Password?
    1. Double-click the drive to bring up the password window, or right-click on it and select Unlock Drive.
    2. Click More Options.
    3. In the opened box, you will see two options. ...
    4. To unlock BitLocker, copy the code you previously saved to a text file and enter it as the recovery key.

    How do I bypass Windows 10 BitLocker recovery? ›

    On the initial recovery screen, don't enter The recovery key. Instead, select Skip this drive.

    How do I find my BitLocker password? ›

    To view the recovery passwords for a computer

    Right-click the computer object, and then select Properties. In the Properties dialog box, select the BitLocker Recovery tab to view the BitLocker recovery passwords that are associated with the computer.

    How do I bypass BitLocker on startup? ›

    How to Bypass Bitlocker by Disabling the BitLocker Protection from the Boot Drive
    1. Press Esc on your keyboard for more recovery options on the BitLocker recovery screen. ...
    2. Next, click Skip this drive, and you'll see more options you can choose on Windows RE (step three). ...
    3. Click Troubleshoot on the options shown below.
    Apr 27, 2022

    Why is BitLocker turning on? ›

    When a machine is encrypted it stores the state of the BIOS/UEFI settings. Any changes to this state can cause the BitLocker recovery mode to kick in. This could be something as simple as choosing a different boot device at startup if not configured correctly based on the network requirements of your organization.

    Do you have to pay for BitLocker? ›

    If you want a free solution and work on Microsoft, use Windows BitLocker. That should do the job for you.

    Is BitLocker risky? ›

    The encryption uses a secure encryption, and it would be highly doubtful you could break it, no matter how good you are, so you have lost the data. In summary BitLocker is a very good tool to protect your data on mobile computers in case of the device being stolen.

    Does removing BitLocker delete data? ›

    BitLocker encrypted disks enable you to quickly sanitize the device by deleting the encryption key, which renders the data on the drive irretrievable.

    How long does BitLocker last? ›

    So how long will encryption take?
    New disk1-5 minutes
    1 TB / 300 GB used10 hours
    2 TB / 1.5 TB used50 hours

    Is it a good idea to use BitLocker? ›

    A strong and reliable too for protecting data for any organization. Microsoft BitLocker is a great tool for data protection. It is used throughout our company to prevent data leakage in the event of a device is lost or stolen. BitLocker is able to detect if a device has been altered while offline.

    Is it possible to turn off BitLocker? ›

    Press Windows Start button. Type bitlocker. Click Manage BitLocker to enter the BitLocker Drive Encryption menu. Select Turn off BitLocker to proceed with decryption.

    Why can't I turn off BitLocker? ›

    BitLocker is a feature that's built into most Windows 10 Pro, Education, and Enterprise editions, as well as some Windows 10 Home PCs. If you can't decrypt your hard drive in order to turn off BitLocker, you'll need to use your BitLocker recovery key to unlock the drive before you can turn off BitLocker.

    Is BitLocker password same as recovery key? ›

    According to the official Microsoft definition, your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized. In other words, it is a password.

    Why is my laptop suddenly BitLocker? ›

    If you experiences that the computer shows BitLocker recovery screen after power on, it means that the HDD/SDD has been encrypted. Once PC hardware components have been replaced or BIOS settings have been changed, all may cause system shows BitLocker recovery screen after power on.

    What happens if I skip BitLocker recovery key? ›

    If a problem with BitLocker occurs, you encounter a prompt for a BitLocker recovery key. If you do not have a working recovery key for the BitLocker prompt, you are unable to access the computer.

    Can hackers hack BitLocker? ›

    It's not impossible, but it won't be that easy. Assuming that the hacker knows the admin password, he still need to be able to remotely connect to your computer in the first place. And there are several layers of defense that he has to go through if he want to penetrate from the outside.

    Which is a Windows tool that can be used for full disk encryption? ›


    Bitlocker is popular Windows-only software used to encrypt entire volumes using the AES encryption algorithm with a 128- or 256-bit key.

    What is Windows 10 encryption tool utility available by default? ›

    Encrypting File System (EFS)

    EFS is the Windows built-in encryption tool used to encrypt files and folders on NTFS drives. Any individual or app that does not have the key cannot open encrypted files and folders.

    Which tool is used for encryption? ›

    BitLocker is an encryption tool that allows you to encrypt your data locally. With BitLocker, you can encrypt an entire hard disk drive or only a portion. It can integrate with files in a Windows operating system to encrypt all data in a hardware device.

    Does Windows 10 have encryption software? ›

    Windows laptops

    Device encryption is available on all editions of Windows 10, but BitLocker encryption is available only on Windows 10 Pro, Enterprise or Education versions.

    How to get BitLocker recovery key without Microsoft account? ›

    On a printout you saved: Your recovery key may be on a printout that was saved when BitLocker was activated. Look where you keep important papers related to your computer. On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions.

    Why is BitLocker on my computer? ›

    If you experiences that the computer shows BitLocker recovery screen after power on, it means that the HDD/SDD has been encrypted. Once PC hardware components have been replaced or BIOS settings have been changed, all may cause system shows BitLocker recovery screen after power on.

    Does Windows 10 automatically encrypt hard drive by default? ›

    On PCs designed for Windows 10 and Windows 11, the system disk is encrypted by default, but that encryption uses a clear key. The encryption doesn't protect your data unless you sign in with a Microsoft account, which protects the data and also saves a recovery key in OneDrive.

    How to turn BitLocker off? ›

    Press Windows Start button. Type bitlocker. Click Manage BitLocker to enter the BitLocker Drive Encryption menu. Select Turn off BitLocker to proceed with decryption.

    How can I tell if Windows 10 is encrypted? ›

    Windows - DDPE (Credant)

    In the Data Protection window, click on the icon of the hard drive (aka System Storage). Under System Storage, if you see the following text: OSDisk (C) and In compliance underneath, then your hard drive is encrypted.

    Do I need encryption software? ›

    Why Should You Use File Encryption Software? Without using file encryption software, your files are much more at risk, complying with regulations will ultimately be more difficult, and security can be compromised across the board.


    1. You Need Bitlocker For Windows! #shorts
    (Tech Extranet)
    2. How to Encrypt Your Hard Drive in Windows 10 Using BitLocker
    3. BitLocker missing from control panel windows 10 [2020]
    4. Win10 Home Drive Encryption On by Default
    5. What is Bitlocker - Bitlocker Encryption Simply Explained in English
    (Simply Explained - English)
    6. How To Setup BitLocker On Windows 8/10 [Tutorial]
    Top Articles
    Latest Posts
    Article information

    Author: Msgr. Benton Quitzon

    Last Updated: 02/12/2023

    Views: 5744

    Rating: 4.2 / 5 (63 voted)

    Reviews: 86% of readers found this page helpful

    Author information

    Name: Msgr. Benton Quitzon

    Birthday: 2001-08-13

    Address: 96487 Kris Cliff, Teresiafurt, WI 95201

    Phone: +9418513585781

    Job: Senior Designer

    Hobby: Calligraphy, Rowing, Vacation, Geocaching, Web surfing, Electronics, Electronics

    Introduction: My name is Msgr. Benton Quitzon, I am a comfortable, charming, thankful, happy, adventurous, handsome, precious person who loves writing and wants to share my knowledge and understanding with you.