REW

How To Manage BitLocker?

Published Aug 29, 2025 4 min read
On this page

Managing BitLocker involves more than just turning it on.

BitLocker key management and recovery

A core part of BitLocker management is handling the recovery keys and passwords that are generated when a drive is encrypted.

Recovery password vs. startup key

  • Recovery password: A 48-digit numeric password used to unlock a drive if the usual unlock method fails. It's stored as a separate protector on the volume.
  • Startup key: A key file stored on a USB flash drive. This can be used in combination with a TPM or on its own for pre-boot authentication.

Where to store recovery keys

  • Microsoft account: For personal devices using a Microsoft account, recovery keys are automatically backed up to account.microsoft.com/devices/recoverykey.
  • Active Directory Domain Services (AD DS): For organizations, recovery keys should be backed up to Active Directory for centralized management and recovery by administrators. This is configured via Group Policy.
  • Text file or printout: You can save the key to a text file or print a hard copy. These should be stored in a safe, non-encrypted location, separate from the computer.

Methods for managing BitLocker

The right management tool depends on your technical skill and the scale of your environment.

Graphical User Interface (GUI)

The most common way for individual users to manage BitLocker is through the "Manage BitLocker" Control Panel applet.

  • Access: Open the Control Panel, navigate to System and Security, and select BitLocker Drive Encryption.
  • Functionality: Allows basic tasks like enabling, disabling, and suspending BitLocker, as well as backing up recovery keys.

Command-Line Interface (CLI)

For advanced users and scripting, the manage-bde.exe command-line tool provides granular control over BitLocker.

  • Check status:manage-bde -status shows the encryption state, method, and key protectors for all volumes.
  • Enable BitLocker:manage-bde -on C: enables BitLocker for the C: drive.
  • Manage protectors:manage-bde -protectors -add C: -rp adds a recovery password to the C: drive.
  • Unlock drive:manage-bde -unlock D: -recoverypassword <48-digit-key> unlocks a drive in recovery mode.

PowerShell

PowerShell provides a comprehensive module for managing BitLocker with cmdlets that are often simpler and more powerful for scripting than manage-bde.exe.

  • Check status:Get-BitLockerVolume returns detailed information about BitLocker volumes.
  • Enable with protectors:
    • Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector enables BitLocker using the TPM.
    • Add-BitLockerKeyProtector -MountPoint "D:" -PasswordProtector adds a password protector to a data drive.
  • Suspend protection:Suspend-BitLocker -MountPoint "C:" suspends BitLocker for a drive. This is useful for system updates.

Enterprise-level management

For organizations, BitLocker management is typically handled through centralized tools.

Group Policy (GPO)

Domain-joined computers can have their BitLocker behavior enforced and configured through Group Policy.

  • Centralized configuration: GPOs can enforce encryption methods (e.g., AES-256), require specific authentication methods (e.g., TPM + PIN), and mandate the backup of recovery keys to AD DS.
  • Location: BitLocker GPO settings are located under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

Microsoft Endpoint Manager (Intune / Configuration Manager)

Modern device management solutions like Intune can enforce and monitor BitLocker policies on Windows devices.

  • Profile-based deployment: Intune uses BitLocker profiles to manage encryption settings for devices that are not domain-joined (e.g., Azure AD-joined devices).
  • Monitoring and reporting: Intune provides centralized dashboards to monitor the encryption status of devices and ensure compliance.

Best practices for management

  • Back up recovery keys immediately: Always ensure recovery keys are safely stored in AD DS or a Microsoft account before or during encryption.
  • Use the right authentication method:
    • TPM only: Best for ease of use, as it's transparent to the user.
    • TPM + PIN: Offers higher security by requiring a user-entered PIN at boot.
  • Implement via GPO or Intune: For organizations, never rely on users to manually enable BitLocker. Centralized policy ensures consistency and simplifies key recovery.
  • Suspend for firmware updates: Major system firmware updates can trigger BitLocker recovery. Suspend BitLocker protection before running these updates to avoid requiring a recovery key.
  • Understand recovery scenarios: Familiarize yourself with the process of using a recovery key to unlock a drive, as this is essential for troubleshooting boot issues or recovering data from a damaged device.
Enjoyed this article? Share it with a friend.