There are many options that the command line offers while managing BitLocker which the BitLocker Drive Encryption manager (in the Control Panel) does not offer. Therefore, managing BitLocker using Command Prompt can prove useful, especially for system administrators. This post discusses how you can enable and disable BitLocker encryption on the operating system (boot) drives as well as fixed drives, set passwords, and create a USB Recovery Key for unlocking. All this is done using the manage-bde.exe command-line tool designed to manage BitLocker on the local machine. Note that all commands in this post are executed in Command Prompt with elevated privileges, unless told otherwise.
How to Check BitLocker Encryption Status using Command Line
We will start by checking the current status of BitLocker, where we will get its version, encryption state, percentage of the partition encrypted (if any), and whether the volume is currently locked or unlocked. To know the current encryption status for all volumes on the device, paste the following command in Command Prompt: You will now see the status of each volume on your computer, as in the image below. You can now continue to the steps below to enable and manage your BitLocker encryption.
How to Enable BitLocker using Command Line
There are 2 types of volume partition on a computer: a volume that contains the operating system (usually labeled C:) and the non-boot drives/volumes. When configuring BitLocker on a boot drive, you do not need to enable the auto-unlocking feature as it unlocks automatically using either the Recovery Key or the pre-boot password. Whereas in the case of a non-boot drive, the auto-unlocking feature can be enabled (but is not mandatory) so you do not have to unlock it separately after you have logged into your system. This is discussed in detail further down the article. Furthermore, you can choose whether to unlock BitLocker encryption using just the Recovery Key (can also be saved on a USB flash drive to be used as a key), or configure a PIN/password, or use both.
Enable BitLocker with Only Recovery Key
If you want to use only the Recovery Key, you need a secondary partition (which is not locked) where you can store the Recovery Key having the .bek file extension. You can also use a USB flash drive to store that key, which will then act as the unlocking key for your PC. The complete syntax for enabling BitLocker is as follows: In the command above, we have enabled BitLocker on volume label C. However, this can be combined with certain parameters that will generate a random 48-digit Recovery Key and store it to a location of our choice. In the example below, the command will enable BitLocker on the C drive, create a random Recovery Key, and save it to the D drive: Since the Recovery Key is a hidden file, you will not be able to see it using the default File Explorer settings. So do not worry if you are unable to find the Recovery Key in the USB drive or any volume for that matter. The system now needs to run a hardware test to start the encryption process. Restart the computer using the following command: This will reboot your computer after one second. When it boots up again, keep the USB/volume connected to your system to unlock the OS drive. When you log in, you can see that your OS drive is being encrypted.Encryption in progress
Enable BitLocker with PIN Authentication and Recovery Key
You can also set a PIN or a password on your drive to unlock it with or without a Recovery Key. We must warn you that in case you lose or forget your PIN/password and do not create a Recovery Key, accessing/recovering the encrypted data would be very difficult. Before we proceed with configuring BitLocker with a PIN or a password, we must enable pre-boot password and Personal Identification Number (PIN) support for BitLocker. The process of enabling PIN authentication requires the configuration of a Group Policy which we have discussed here. You may click this link to learn how to configure it using the Windows GUI. Alternatively, you may download and execute the Windows Registry file (valid for Windows 10 and Windows 11) to automate the process for you given below. Here is how to run the .reg file successfully: Wrongful manipulation of the Windows Registry can cause harm to your operating system. Therefore, we recommend that you create a system restore point before proceeding forward. After the computer reboots, you may proceed to configure BitLocker with only a PIN or password authentication. Enter the following command while replacing “C:” with the letter of the drive that you want to encrypt. You will now need to enter the password that you want to set and then reconfirm it. Press Enter each time after entering the password. If added successfully, you will see the message “Key protectors added.”Set and confirm PIN/password for BitLocker Now use the following command to enable BitLocker on the drive while saving the Recovery Key in another volume, just as we did in the previous section of this article: Note: You can also use only the first half of the command above (manage-bde -on c:) to enable BitLocker but not create a Recovery Key. Now restart your computer using the command below. As the computer reboots, you will be asked to enter the PIN/password (if the OS drive has been encrypted). Enter your credentials to unlock the drive and boot in. When you log in, you can see that the remainder of your volume is being encrypted. Allow the process to be completed.Encryption in process
How to Enable BitLocker Auto-Unlock Feature using Command Line
If you have enabled BitLocker on non-OS volume(s), then those will need to be unlocked manually after you have logged into your system, unless the auto-unlock feature is enabled. If not, you will see the volume locked, as in the image below, and will need to either provide the Recovery Key or enter the PIN/Password when trying to access it. The auto-unlock feature will only unlock the non-OS drives automatically if the OS drive is initially unlocked using the BitLocker PIN/password or the Recovery Key. Follow the steps below to enable BitLocker while configuring the auto-unlock feature on a volume: Note that this feature does not need to be enabled on boot drives as they are automatically unlocked when the credentials are provided as the system is booting. The volume will now begin encryption. Using this technique, the non-OS volume(s) will automatically be accessible without any special authentication as soon as you log in using the Recovery Key or PIN/password for the boot drive upon startup.
How to Disable BitLocker Auto-Unlock Feature using Command Line
If you want to disable a drive’s auto-unlock feature, it needs to be first unlocked. Only then will you be able to remove the feature. If your drive is already unlocked, continue down to the next section.
Unlock BitLocker Drive using Command Line
Alternatively, you can also use the command below to provide the Recovery Key instead of the password to unlock the drive: Your drive will now be unlocked. You may now move onto the next section to disable the auto-unlocking feature.
Disable BitLocker Auto-Unlock using Command Line
Once you have ensured that the drive is unlocked, use the given command while replacing “D:” with the drive letter that you want to disable the feature on: Automatic unlocking of the drive will now be disabled.
How to Turn Off BitLocker using Command Line
To turn off the BitLocker encryption on your drive, you first need to ensure that it is unlocked using the steps given above. You may then proceed to enter the following command in Command Prompt to disable BitLocker while replacing “D:” with your respective drive letter.
Manage-bde Syntax, Switches, and Parameters
As we mentioned before, manage-bde.exe provides a lot of other features to BitLocker which are not accessible through the GUI. Below is a list of the parameters of manage-bde and what they do:
If stuck with these parameters, concatenate “/?” in front of the command and parameters in the Command Prompt to get more help. To learn more about these parameters, read Microsoft’s support page.
Similarly, the manage-bde protectors also have quite a few switches. Here’s a list:ParameterDescription-getDisplays all the key protection methods enabled on the drive and provides their type and identifier (ID).-addAdds key protection methods as specified by using additional -add parameters.-deleteDeletes key protection methods used by BitLocker. All key protectors will be removed from a drive unless the optional -delete parameters are used to specify which protectors to delete. When the last protector on a drive is deleted, BitLocker protection of the drive is disabled to ensure that access to data is not lost inadvertently.-disableDisables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on the drive. No key protectors are removed. Protection will be resumed the next time Windows is booted unless the optional -disable parameters are used to specify the reboot count.-enableEnables protection by removing the unsecured encryption key from the drive. All configured key protectors on the drive will be enforced.-adbackupBacks up recovery information for the drive specified to Active Directory Domain Services (AD DS). Append the -id parameter and specify the ID of a specific recovery key to back up. -id parameter is required.-aadbackupBacks up all recovery information for the drive specified to Azure Active Directory (Azure AD). Append the -id parameter and specify the ID of a specific recovery key to back up. -id parameter is required.
Final Thoughts
There are quite a few things you can do just from the Command Prompt alone for BitLocker. We started this post with the most basic commands and what they do, then worked our way up so that it is easier for you to understand BitLocker through the command line. There are similar tools also available in Windows to manage-bde, such as repair-bde, which you can use to recover lost encrypted data due to damaged hard disks. If you are using an operating system that does not have BitLocker, you can try out these alternatives to keep your data safe. Also see:
How To Password Protect A USB Drive Using BitLocker3 Ways to Access Network Path Using Command Line in Windows 10How to Start Remote Desktop Connection (mstsc) using Command LineHow To Configure And Use UEFI In Windows 8.1How to Create Windows Recovery Drive