26 KiB
title, description, ms.collection, ms.topic, ms.date
| title | description | ms.collection | ms.topic | ms.date | |
|---|---|---|---|---|---|
| BitLocker operations guide | Learn how to use different tools to manage and operate BitLocker. |
|
how-to | 07/25/2023 |
BitLocker operations guide
There are differnt tools and options to manage and operate BitLocker:
- the BitLocker PowerShell module
- the BitLocker drive encryption tools
- Control Panel
The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They are appropriate to use for automated deployments and other scripting scenarios.
The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks.
This article describes the BitLocker management tools and how to use them, providing practical examples.
BitLocker PowerShell module
The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, che the BitLocker PowerShell reference article.
BitLocker drive encryption tools
The BitLocker drive encryption tools include the two command-line tools:
- Configuration Tool (
manage-bde.exe) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of themanage-bde.exeoptions, see the Manage-bde reference - Repair Tool (
repair-bde.exe) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console
BitLocker Control Panel applet
Encrypting volumes with the BitLocker Control Panel (select Start, enter BitLocker, select Manage BitLocker) is how many users will use BitLocker. The name of the BitLocker Control Panel applet is BitLocker Drive Encryption. The applet supports encrypting operating system, fixed data, and removable data volumes. The BitLocker Control Panel organizes available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters appear properly in the BitLocker Control Panel applet.
To start encryption for a volume, select Turn on BitLocker for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
OneDrive option
There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local user accounts don't have the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
Users can verify whether the recovery key is saved properly by checking OneDrive for the BitLocker folder, which is created automatically during the save process. The folder contains two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the BitLocker Drive Encryption Wizard by right-clicking a volume and selecting Turn On BitLocker. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting Turn on BitLocker, the wizard works exactly as it does when launched using the BitLocker Control Panel.
Using the Control Panel, administrators can choose Turn on BitLocker to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting Activate BitLocker will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
Check the BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, manage-bde.exe command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
Follow the instructions below verify the status of BitLocker, selecting the tool of your choice.
:::image type="icon" source="images/powershell.svg"::: PowerShell
To determine the current state of a volume you can use the Get-BitLockerVolume cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example:
PS C:\> Get-BitLockerVolume C: | fl
ComputerName : DESKTOP
MountPoint : C:
EncryptionMethod : XtsAes128
AutoUnlockEnabled :
AutoUnlockKeyStored : False
MetadataVersion : 2
VolumeStatus : FullyEncrypted
ProtectionStatus : On
LockStatus : Unlocked
EncryptionPercentage : 100
WipePercentage : 0
VolumeType : OperatingSystem
CapacityGB : 1000
KeyProtector : {Tpm, RecoveryPassword}
:::image type="icon" source="images/cmd.svg"::: Command Prompt
With manage-bde.exe you can determine the volume status on the target system, for example:
manage-bde.exe -status
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume.
C:\>manage-bde -status
Volume C: [Local Disk]
[OS Volume]
Size: 1000 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
Checking BitLocker status with the Control Panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include:
| Status | Description |
|---|---|
| On | BitLocker is enabled for the volume |
| Off | BitLocker isn't enabled for the volume |
| Suspended | BitLocker is suspended and not actively protecting the volume |
| Waiting for Activation | BitLocker is enabled with a clear protector key and requires further action to be fully protected |
If a drive is pre-provisioned with BitLocker, a status of Waiting for Activation displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the Control Panel, PowerShell or manage-bde.exe tool to add an appropriate key protector. Once complete, the Control Panel will update to reflect the new status.
Enable BitLocker
OS drive with TPM protector
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector and no recovery key:
:::image type="icon" source="images/powershell.svg"::: PowerShell
Enable-BitLocker C: -TpmProtector
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -on C:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
OS drive with TPM protector and startup key
In the next example, we add one more protector, the StartupKey protector.
Assuming the OS drive letter is C: and the USB flash drive is drive letter E:, here's the command:
:::image type="icon" source="images/powershell.svg"::: PowerShell
If you choose to skip the BitLocker hardware test, encryption starts immediately without the need for a reboot.
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath E: -SkipHardwareTest
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -add C: -TPMAndStartupKey E:
manage-bde.exe -on C:
If prompted, reboot the computer to complete the encryption process.
Note
After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
For the operating system volume the BitLocker Drive Encryption Wizard presents several screens that prompt for options while it performs several actions:
-
When the BitLocker Drive Encryption Wizard first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume
-
Upon passing the initial configuration, users are prompted to enter a password for the volume if a TPM isn't available. If a TPM is available, the password screen is skipped
-
After the initial configuration/password screens, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the device if:
- The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
- BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker, if for some reason the password is forgotten or the device can't access the drive.
The recovery key can be stored using the following methods:
- Save to your Microsoft Entra ID account or Microsoft Account (if applicable)
- Save to a USB flash drive
- Save to a file - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- Print the recovery key
The recovery key can't be stored at the following locations:
- The drive being encrypted
- The root directory of a non-removable/fixed drive
- An encrypted volume
Tip
Ideally, a recovery key should be stored separate from the device itself.
Note
After a recovery key is created, the BitLocker Control Panel can be used to make additional copies of the recovery key.
-
The BitLocker Drive Encryption Wizard prompts how much of the drive to encrypt. The BitLocker Drive Encryption Wizard has two options that determine how much of the drive is encrypted:
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space. Also known as full disk encryption
Each of the methods is recommended in the following scenarios:
-
Encrypt used disk space only:
- The drive has never had data
- Formatted or erased drives that in the past have never had confidential data that was never encrypted
-
Encrypt entire drive (full disk encryption):
- Drives that currently have data
- Drives that currently have an operating system
- Formatted or erased drives that in the past had confidential data that was never encrypted
Important
Deleted files appear as free space to the file system, which isn't encrypted by used disk space only. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-
The BitLocker Drive Encryption Wizard will then prompt for an encryption mode:
- New encryption mode
- Compatible mode
Normally New encryption mode should be chosen, but if the drive will be potentially moved to another device with an older Windows operating system, select Compatible mode
-
After selecting an encryption mode, the BitLocker Drive Encryption Wizard will give the option of running a BitLocker system check via the option Run BitLocker system check. This system check ensures that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard starts encryption. A reboot may be initiated to start encryption. If a reboot is initiated, if there was no TPM and a password was specified, the password must be entered to boot into the operating system volume.
Users can check encryption status by checking the system notification area or the BitLocker Control Panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
:::image type="content" source="images/preboot-startup-key.png" alt-text="Screenshot of the BitLocker preboot screen asking for a USB drive containing the startup key.":::
Data volumes
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete.
:::image type="icon" source="images/powershell.svg"::: PowerShell
Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password:
$pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
Note
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
Example: Use PowerShell to enable BitLocker with a TPM protector
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456:
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
:::image type="icon" source="images/cmd.svg"::: Command Prompt
Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
manage-bde.exe -on <drive letter>
or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
Encrypting data volumes using the BitLocker Control Panel works in a similar fashion to encryption of the operating system volumes. Users select Turn on BitLocker within the BitLocker Control Panel to begin the BitLocker Drive Encryption Wizard.
Manage BitLocker protectors
The management of BitLocker protectors consist in adding, removing, and backing up protectors.
Follow the instructions below manage BitLocker protectors, selecting the option that best suits your needs.
List protectors
The list of protectors available for a volume (C: in the example) can be listed by running the following command:
:::image type="icon" source="images/powershell.svg"::: PowerShell
(Get-BitLockerVolume -mountpoint C).KeyProtector
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -get C:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
This information is not available in the Control Panel.
Add protectors
Add a recovery password protector
:::image type="icon" source="images/powershell.svg"::: PowerShell
Add-BitLockerKeyProtector -MountPoint C -RecoveryPasswordProtector
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -add -recoverypassword C:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
This information is not available in the Control Panel.
Add a password protector
A common protector for a data volume is the password protector. In the next example, a password protector is added to a volume.
:::image type="icon" source="images/powershell.svg"::: PowerShell
Add-BitLockerKeyProtector -MountPoint D -PasswordProtector
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -add -pw D:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
From the BitLocker Drive Encryption Control Panel applet, expand the drive where you want to add a password protector and select the option Add password. When prompted, enter and confirm a password to unlock the drive. Select Finish to complete the process.
Add an Active Directory protector
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
Important
The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
Note
This option is not available for Microsoft Entra joined devices.
Tip
Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
In this example, a domain SID-based protector is added to a previously encrypted volume. The user knows the SID for the user account or group they wish to add and uses the following command:
:::image type="icon" source="images/powershell.svg"::: PowerShell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
To add an ADAccountOrGroup protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\Administrator account is added as a protector to the data volume G.
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
Get-ADUser -filter {samaccountname -eq "administrator"}
Note
Use of this command requires the RSAT-AD-PowerShell feature.
Tip
In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using:
WHOAMI /ALL. This doesn't require the use of additional features.
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -add -sid <user or group>
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
This option is not available in the Control Panel.
Remove protectors
:::image type="icon" source="images/powershell.svg"::: PowerShell
To remove existing protectors on a volume, use the Remove-BitLockerKeyProtector cmdlet. A GUID associated with the protector to be removed must be provided.
The following commands return the list of key protectors and GUIDS:
$vol = Get-BitLockerVolume C
$keyprotectors = $vol.KeyProtector
$keyprotectors
By using this information, the key protector for a specific volume can be removed using the command:
Remove-BitLockerKeyProtector <volume> -KeyProtectorID "{GUID}"
Note
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
:::image type="icon" source="images/cmd.svg"::: Command Prompt
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
From the BitLocker Drive Encryption Control Panel applet, expand the drive where you want to remove a protector and select the option to remove it, if available.
Note
You must have at least one unlock method for any BitLocker-encrypted drives.
Suspend and resume
Some configuration changes may require to suspend BitLocker and then resume it after the change is applied.
Follow the instructions below to suspend and resume BitLocker, selecting the option that best suits your needs.
Suspend BitLocker
:::image type="icon" source="images/powershell.svg"::: PowerShell
Suspend-BitLocker -MountPoint D
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -disable d:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
You can only suspend BitLocker protection for the OS drive when using the Control Panel.
From the BitLocker Drive Encryption Control Panel applet, select the OS drive and select the option Suspend protection.
Resume BitLocker
:::image type="icon" source="images/powershell.svg"::: PowerShell
Resume-BitLocker -MountPoint D
:::image type="icon" source="images/cmd.svg"::: Command Prompt
manage-bde.exe -protectors -enable d:
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
From the BitLocker Drive Encryption Control Panel applet, select the OS drive and select the option Resume protection.
Disable BitLocker
Disabling BitLocker decrypts and removes any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step.
Follow the instructions below to disable BitLocker, selecting the option that best suits your needs.
:::image type="icon" source="images/powershell.svg"::: PowerShell
Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
Disable-BitLocker
To avoid specifying each mount point individually, use the -MountPoint parameter in an array to sequence the same command into one line, without requiring additional user input. Example:
Disable-BitLocker -MountPoint C,D
:::image type="icon" source="images/cmd.svg"::: Command Prompt
Decryption with manage-bde.exe offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
manage-bde.exe -off C:
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete.
:::image type="icon" source="images/controlpanel.svg"::: Control Panel
BitLocker decryption using the Control Panel is done using a wizard. After opening the BitLocker Control Panel applet, select the Turn off BitLocker option to begin the process. To proceed, select the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process begins.
Once decryption is complete, the drive updates its status in the Control Panel and becomes available for encryption.