Aug 16, 2019 BitLocker Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise. Your computer’s BIOS must support TPM or USB devices during startup. If this isn’t the case, you’ll need to check your PC manufacturer’s support website to get the latest firmware update for your BIOS before trying to set up BitLocker. This article will introduce five solutions to disable, turn off, remove Bitlocker drive encryption in Windows 10: Solution 1: Disable Bitlocker from Control Panel. Step 1: Open the Search bar and type Control Panel. Step 2: Double-click Bitlocker Drive Encrypition. Step 3: Expand the related Bitlocker encrypted drive. Step 4: Click Turn off Bitlocker. Step 5: Click Turn off Bitlocker in the window. Dec 23, 2016 So I'm looking into bitlocker. I know with windows 7, you had to have the enterprise version to use bitlocker. With windows 8 & 10 it comes with it by default. I've used it at home. However I'm curious, can you manage windows 10 bitlocker via active directory with just windows 10 pro? (we're a pro environment). BitLocker is commonly used in the enterprise for endpoint encryption, now included with Windows 10 Pro, Enterprise and Education licenses. It also comes built into many Windows Server platforms. Because BitLocker is a free feature in commonly used flavors of the Windows OS, it’s not surprising that enterprises opt to make use of it rather.
- Manage Bitlocker in Windows 10 Hello, I suggest you to follow the methods below and check if it helps: Go to Control panel and click on BitLocker Driver encryption. Click on Turn on BitLocker. Let us know if you need further assistance. We will be happy to help.
- Active oldest votes. Up vote 3 down vote accepted. BitLocker is only available in Pro and Enterprise editions of Windows 10, if you've got Windows 10 Home then that feature won't be available to you.
When do you change your BitLocker password or startup PIN? Most people reset their password only when they forget it. It is best to change the BitLocker startup PIN or password periodically to ensure the security of the operating system drive or removable drives. This tutorial will show you how to change/reset the BitLocker Startup PIN or password of an encrypted drive in Windows 10.
1. Change/Reset the BitLocker PIN or Password in File Explorer
Press Win+E to open File Explorer. In This PC, right-click on the operating system drive or another drive encrypted with BitLocker and select 'Change BitLocker PIN' from the context menu.
Enter the old password, then enter the new password twice, click Change PIN.
If you have forgotten your startup PIN, just click the 'Reset a Forgotten PIN' link below. It allows you to set a new password without asking for the current PIN.
2. Change/Reset the BitLocker PIN or Password in Control Panel
Manage-bde Suspend Bitlocker Windows 10
If you forget your BitLocker password, you can use the recovery key to unlock the encrypted drive, which you need to enter each time you want to open that drive. You can reset the forgotten password to avoid some inconvenience.
Click on the Start Menu. In the search box, type 'Manage BitLocker', then hit Enter to open the Manage BitLocker window.
Click Change password for the desired drive.
Enter the old password, then enter the new password twice. When done, click Change password.
If you have forgotten your BitLocker Password, just click the 'Reset Forgot Password' link below.
It allows you to set a new password without asking for the current password.
3. Change/Reset the BitLocker PIN or Password in Command Prompt
Press Win+X and A on the keyboard to open Command Prompt as an Administrator.
To change the BitLocker PIN, enter the following command in the Command Prompt window.
Manage-bde -changepin C:
To change the BitLocker password, use the following command, and then press Enter.
manage-bde -changepassword <drive letter>
Manage Bitlocker Not Opening Windows 10
If your Windows partition is not C:, use the drive letter that is appropriate for your system.
Type the new PIN when prompted, and press Enter. Confirm the new PIN by typing it again when prompted, and press Enter. For security reasons, the new PIN you type will become invisible.
If your PIN has been successfully updated, you can now close the elevated command prompt.
Related Articles
- How to Unlock BitLocker Encrypted USB Flash Drive on Mac OS
- Unlock BitLocker Encrypted USB Drive without a Password
- How to Backup BitLocker Recovery Key in Windows 10
- Password Protects the USB Flash Drive on Mac without Erasing Data
- How to Retrieve BitLocker Recovery Key in Windows 10/8.1
- Find the Recovery Key for Surface Pro/Laptop
Applies to
- Windows 10
This topic for the IT professional describes how to use tools to manage BitLocker.
BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console.
Manage-bde
![Truecrypt Truecrypt](/uploads/1/2/4/8/124888703/814223143.png)
Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the Manage-bde command-line reference.
Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the
manage-bde -on
command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.Using manage-bde with operating system volumes
![Home Home](/uploads/1/2/4/8/124888703/797952799.jpg)
Listed below are examples of basic valid commands for operating system volumes. In general, using only the
manage-bde -on <drive letter>
command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
Note: After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.
On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
Using manage-bde with data volumes
Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
manage-bde -on <drive letter>
or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume.A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
Repair-bde
You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
Tip: If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command
manage-bde -KeyPackage
to generate a key package for a volume.The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
- You have encrypted the drive by using BitLocker Drive Encryption.
- Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive.
Note: Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde:
- The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
For more information about using repair-bde, see Repair-bde.
BitLocker cmdlets for Windows PowerShell
Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
Name | Parameters |
Add-BitLockerKeyProtector | -ADAccountOrGroup -ADAccountOrGroupProtector -Confirm -MountPoint -Password -PasswordProtector -Pin -RecoveryKeyPath -RecoveryKeyProtector -RecoveryPassword -RecoveryPasswordProtector -Service -StartupKeyPath -StartupKeyProtector -TpmAndPinAndStartupKeyProtector -TpmAndPinProtector -TpmAndStartupKeyProtector -TpmProtector -WhatIf |
Backup-BitLockerKeyProtector | -Confirm -KeyProtectorId -MountPoint -WhatIf |
Disable-BitLocker | -Confirm -MountPoint -WhatIf |
Disable-BitLockerAutoUnlock | -Confirm -MountPoint -WhatIf |
Enable-BitLocker | -AdAccountOrGroup -AdAccountOrGroupProtector -Confirm -EncryptionMethod -HardwareEncryption -Password -PasswordProtector -Pin -RecoveryKeyPath -RecoveryKeyProtector -RecoveryPassword -RecoveryPasswordProtector -Service -SkipHardwareTest -StartupKeyPath -StartupKeyProtector -TpmAndPinAndStartupKeyProtector -TpmAndPinProtector -TpmAndStartupKeyProtector -TpmProtector -UsedSpaceOnly -WhatIf |
Enable-BitLockerAutoUnlock | -Confirm -MountPoint -WhatIf |
Get-BitLockerVolume | -MountPoint |
Lock-BitLocker | -Confirm -ForceDismount -MountPoint -WhatIf |
Remove-BitLockerKeyProtector | -Confirm -KeyProtectorId -MountPoint -WhatIf |
Resume-BitLocker | -Confirm -MountPoint -WhatIf |
Suspend-BitLocker | -Confirm -MountPoint -RebootCount -WhatIf |
Unlock-BitLocker | -AdAccountOrGroup -Confirm -MountPoint -Password -RecoveryKeyPath -RecoveryPassword -RecoveryPassword -WhatIf |
Get-BitLockerVolume
cmdlet.The Get-BitLockerVolume
cmdlet output gives information on the volume type, protectors, protection status and other details.Tip: Occasionally, all protectors may not be shown when using
Get-BitLockerVolume
due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.Get-BitLockerVolume C: | fl
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the
Remove-BitLockerKeyProtector
cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
Using this information, you can then remove the key protector for a specific volume using the command:
Note: The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
Using the BitLocker Windows PowerShell cmdlets with operating system volumes
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
Using the BitLocker Windows PowerShell cmdlets with data volumes
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as aSecureString value to store the user defined password.
Using an AD Account or Group protector in Windows PowerShell
The ADAccountOrGroup protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
Warning: The ADAccountOrGroup protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSOAdministrator account is added as a protector to the data volume G.
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
Note: Use of this command requires the RSAT-AD-PowerShell feature.
Tip: In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
The following example adds an ADAccountOrGroup protector to the previously encrypted operating system volume using the SID of the account: Arduino mega software serial.
Note: Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.