Windows 10 BitLocker Commands

email me


BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

See wiki


Commands and Scripting

Show BitLocker Status

Get-BitLockerVolume -MountPoint “C:”

COMMAND: manage-bde -status C:


Show BitLocker Password

(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword

COMMAND: manage-bde -protectors C: -get


Output BitLocker Password to Text File

(Get-BitLockerVolume -MountPoint C).KeyProtector.recoverypassword | select -Skip 1 | Out-File C:\password.txt


Read BitLocker Text File

$password = Get-Content C:\password.txt


Removing All Protectors (save as script.cmd)

for /f “skip=2 tokens=2 delims=:” %%f in (‘”C:\Windows\system32\manage-bde.exe -protectors -get c:”‘) do (
echo Removing Protector ID:%%f
“C:\Windows\system32\manage-bde.exe” -protectors -delete c: -id %%f >nul


Remove a Single Protector

$BitProtector = Get-BitLockerVolume -MountPoint “C:”
Remove-BitLockerKeyProtector -KeyProtectorId $BitProtector.KeyProtector[1].KeyProtectorId -MountPoint “C:”


Initializing TPM

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Initialize-Tpm

COMMAND: manage-bde -tpm -turnon

See What is TPM?


Enabling TPM – Enable the F1 prompt

enableBitLocker.vbs /on:tpm /l:C:\BitLocker\BitLockerlog.txt
—still looking into a PowerShell method that works


Adding Protector for System Drive

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Enable-BitLocker -MountPoint C: -EncryptionMethod Aes128 -UsedSpaceOnly -RecoveryPasswordProtector -SkipHardwareTest”

COMMAND: manage-bde -protectors -add C: -tpm



Enable BitLocker

Enable-BitLocker -MountPoint c: -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector

COMMAND: manage-bde –on C:


Suspend BitLocker

Suspend-BitLocker -MountPoint “C:” -RebootCount 0

COMMAND: manage-bde –pause C:


Resume BitLocker

Resume-BitLocker -MountPoint “C:”

COMMAND: manage-bde –resume C:


Returning Protector Numerical ID (save as script.cmd)

for /f “skip=2 tokens=2 delims=:” %%g in (‘”C:\Windows\system32\manage-bde.exe -protectors -get c:”‘) do set MyVar=%%g
echo Protector ID:%MyVar%
set MyVar=%MyVar: =%


Verify a BitLocker Password was Returned

SET “var=”&for /f “delims=0123456789-” %%i in (“%Pass%”) do set var=%%i
rem if not matching the delims, exit
if defined var (exit)


Importing BitLocker Password into Active Directory using Numerical ID

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command “Get-BitLockerVolume -MountPoint C: | Backup-BitLockerKeyProtector -KeyProtectorID ‘%MyVar%’ “


Writing BitLocker Password to the Registry (save as script.cmd)

for /f “skip=5 tokens=1 delims=Password ” %%h in (‘”%ThePath%\manage-bde.exe -protectors -get c:”‘) do set Pass=%%h

reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\BitLockerPW /v PW /t REG_SZ /d %Pass% /f /reg:64

Note: If writing BitLocker PW to the registry, a good practice would be to encrypt/obfuscate it.

Note: There is a good chance if you’re compiling your scripts (in a non-64 bit manner), you may need to change from c:\windows\system32 to %windir%\sysnative. The System32 is reserved for 64 bit applications, while the WOW64 will recognize 32 bit applications.




The TPM chip can store numerous BitLocker IDs and passwords. If this isn’t cleared between computer setups, a new BitLocker password will be appended.

Note#2 If you have key rotation enabled, after a BitLocker password has been once, a new one will be created and securely stored [in SCCM or Azure].

Note#3 As newer Windows operating systems are released, TPM 2.0 (or newer) will become a requirement. This may prompt upgrading your fleet.


Plan for BitLocker management

Deploy BitLocker management

Manage BitLocker policy for Windows 10 in Intune