In this post I will show how you can enabled Windows Bitlocker encryption from a command prompt using either manage-bde or in PowerShell.
Table of Contents
- Option 1 – Using PowerShell
- Option 2 – Using Manage-BDE in a Command Prompt
- Checking the backup status in Active Directory
- Checking the backup status in EntraID (if applicable)
Option 1 – Using PowerShell
Add a new protector
This will add new protector and generate a recovery password that you can either manually backup, or optionally backup to Active Directory.
$protector = Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
$protector.RecoveryPassword
Backup to Active Directory (Optional)
The computer must be able to reach a domain control when this command is run.
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $protector.KeyProtectorId
Backup to EntraID (Optional)
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $protector.KeyProtectorId
Turn on Bitlocker
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly
Additional Drives
# Add recovery password
$dProtector = Add-BitLockerKeyProtector -MountPoint "D:" -RecoveryPasswordProtector
# Optional AD / Entra backup
Backup-BitLockerKeyProtector -MountPoint "D:" -KeyProtectorId $dProtector.KeyProtectorId
# Or:
# BackupToAAD-BitLockerKeyProtector -MountPoint "D:" -KeyProtectorId $dProtector.KeyProtectorId
# Enable auto‑unlock for data drives
Enable-BitLockerAutoUnlock -MountPoint "D:"
# Turn on BitLocker
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes128 -UsedSpaceOnly
Check BitLocker Status
Get-BitLockerVolume
Option 2 – Using Manage-BDE in a Command Prompt
The full Microsoft documentation for manage-bde can he found here https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde
Add a new protector
This will add new protector and generate a recovery password that you can either manually backup, or optionally backup to Active Directory.
- Open a Command Prompt as administrator
- Enter the command
manage-bde -protectors -add C: -rp
Backup to Active Directory (Optional)
- Optional step but recommended – To backup the recovery password to Active Directory. Make sure you can ping one of your Domain Controllers and issue the below command. Replacing the ID with your own, presented after adding a protector in the previous step. If you are not backing up to AD I recommend you take a manual backup of the password and the longer GUID at the bottom of the prompt.
manage-bde -protectors -adbackup C: -id {0A48A9EF-B745-400F-BF33-5ABE1B223CE4}
Turn on Bitlocker
- Finally enter the below command to switch Bitlocker on, then reboot
manage-bde -on C:
Additional drive(s)
For any additional local drives i.e a D: drive you would follow the same steps as above replacing C: with your drive letter. We also will want to run an additional command -autounlock so no manual action is required to unlock the drive when needed.
There is no need to reboot after the last command
manage-bde -protectors -add D: -rp
manage-bde -protectors -adbackup D: -id {B558C629-E5EA-4C74-BBBC-84D491A28134}
manage-bde -autounlock -enable D:
manage-bde -on D:
Checking the Bitlocker Status
You can use -status to check everything is as it should be
manage-bde -status
Checking the backup status in Active Directory
After running manage-bde with the -adbackup parameter you should be able to confirm the backup was successful in the “Bitlocker Recovery” tab in Active Directory
Checking the backup status in EntraID (if applicable)
If you are syncing Active Directory to EntraID. You can confirm the Bitrlocker recovery password was backed up by searching and selecting the computer in the devices section.
“Replacing the ID with your own”
How do I determine the ID? For example, is it an objectGUID in AD? Is it some other GUID?
Hi,
This refers to the ID previously generated by manage-bde -protectors -add C: -rp command
Take a look in the screenshot just above that paragraph, the ID is circled in blue
Let me know if you need any more information
Phil