BitLocker Drive Encryption
BitLocker is the full-volume encryption feature built into Windows, and understanding how it uses the TPM to seal its key and how its recovery password gets you back in when that seal breaks is what separates a five-minute recovery from a wiped laptop.
The hardware chip that seals BitLocker’s key and checks the boot chain hasn’t been tampered with.
The mechanism — TPM, PIN, startup key, or password — that unlocks the volume’s encryption key.
The 48-digit numerical fallback that unlocks a volume when its normal protector can’t.
What Is BitLocker?
BitLocker Drive Encryption is a Windows security feature that encrypts an entire volume, protecting the data on it if the physical disk is lost, stolen, or removed from the machine and read on another system. It ships with Windows client and server and requires no third-party software to turn on.
Think of BitLocker as a safe built into the drive itself rather than a lock on the door of the room the drive sits in. File permissions and NTFS ACLs stop someone from opening a file while Windows is running and enforcing them; BitLocker stops someone from reading anything on the disk at all once it’s outside a running, authenticated Windows session — pull the disk out and put it in another machine, and every byte is unreadable without the key.
BitLocker provides its strongest protection when paired with a Trusted Platform Module (TPM), a small hardware security chip most modern Windows devices already have. On top of the TPM, BitLocker can additionally require a PIN or a startup key on a removable drive before the machine will boot, giving multifactor protection instead of relying on the TPM alone.
How BitLocker Protects a Volume
Every BitLocker volume has one encryption key that actually encrypts the data. What differs between configurations is how that key is protected, or “wrapped” — this wrapping mechanism is what BitLocker calls a key protector. You can only choose one key protector (or combination) when you first enable BitLocker, but you can add others afterwards.
When a TPM protector is in use, the TPM measures the early boot components — firmware, boot loader, boot configuration — and only releases the key if those measurements match what was recorded when BitLocker was turned on. This is what a TCG-compliant BIOS or UEFI firmware with Static Root of Trust Measurement support makes possible: it establishes a chain of trust for the preboot startup that the TPM can check.
If anything in that chain changes — a firmware update, a boot order change, a different disk controller, someone booting from another medium to try to read the disk — the TPM refuses to release the key automatically, and BitLocker drops to recovery mode, prompting for whichever fallback protector is configured.
Key Protectors
BitLocker supports several protector types, and you choose one (or a stacked combination) when you enable encryption. The PowerShell BitLocker module’s Enable-BitLocker and Add-BitLockerKeyProtector cmdlets expose each of these as its own parameter set.
| Protector | How it works | Typical use |
|---|---|---|
| TPM only | TPM releases the key automatically if boot integrity checks pass. | Unattended servers and desktops; no user interaction at boot. |
| TPM + PIN | TPM checks integrity, then requires a 4-20 character PIN entered at boot. | Laptops, where the extra factor defends against a stolen-but-powered-off device. |
| TPM + startup key | TPM checks integrity, then requires a USB drive holding the external key. | Environments that want a physical token instead of a memorised PIN. |
| TPM + PIN + startup key | Combines all three factors. | Highest-assurance endpoints. |
| Startup key only | A USB drive with the external key, no TPM involved. | Devices without a TPM. |
| Password | A password protects a data (non-OS) drive. | Removable or fixed data drives, not operating system volumes. |
| Recovery password | A randomly generated (or specified) 48-digit numerical password. | The fallback added to every volume alongside its primary protector. |
| Recovery key | A recovery key file saved to an external location. | An alternative fallback to the recovery password. |
| AD DS account | Domain credentials for the account or computer unlock a data volume. | Data drives only — not supported on operating system volumes. |
Microsoft Learn’s guidance for Enable-BitLocker makes a point worth keeping in mind: it’s common practice to add a recovery password protector with Add-BitLockerKeyProtector, back it up with Backup-BitLockerKeyProtector, and only then turn encryption on — that way a recovery option exists before the drive is ever locked by anything else.
BitLocker vs Device Encryption
Device encryption is a separate, simplified feature that automatically turns BitLocker on for qualifying hardware, without any administrator having to configure protectors by hand.
| Aspect | BitLocker | Device encryption |
|---|---|---|
| Activation | Configured manually, or via Group Policy / MDM policy. | Enables itself automatically on qualifying hardware once signed in. |
| Recovery key backup | Depends on policy configuration; not automatic by default. | Automatically backed up to Microsoft Entra ID, AD DS, or the user’s Microsoft account. |
| Drive coverage | Any volume you choose to protect. | OS drive and fixed drives only — never external/USB drives. |
| Editions | Requires Pro, Enterprise, Education, or Pro Education/SE. | Available on all Windows editions, including Home, on qualifying hardware. |
| Local-account-only devices | N/A — protectors are chosen explicitly. | Data is encrypted but the device is effectively unprotected — there’s no account to escrow the key against. |
Recovery Keys and Active Directory Escrow
For domain-joined machines, BitLocker recovery passwords can be escrowed to Active Directory Domain Services so a help desk can retrieve them without depending on the end user having written the recovery password down anywhere.
The relevant Group Policy setting is Choose how BitLocker-protected operating system drives can be recovered (a parallel setting exists for fixed and removable data drives), under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. Enabling it exposes the option Save BitLocker recovery information to Active Directory Domain Services, with a choice between backing up the recovery password only, or the recovery password and key package together — the key package additionally supports recovering data from a drive that’s been physically corrupted.
msFVE-RecoveryInformation object underneath the computer object it belongs to. A domain admin (or a delegated helpdesk role) can read the recovery password from there without ever touching the end user’s machine.
There’s a related policy — Do not enable BitLocker until recovery information is stored in AD DS for operating system drives — that refuses to let BitLocker turn on at all unless the domain backup succeeds first, and automatically generates a recovery password to make that possible. Without it, a laptop that encrypts while offline from the domain can end up with no AD DS backup at all.
If a volume was already encrypted before this policy was ever configured, the backup has to be pushed manually. From an elevated PowerShell session:
# Get the BitLocker volume object for C: and inspect its key protectors
$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV.KeyProtector
# Back up a specific recovery password protector to AD DS, by its KeyProtectorId
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
# Equivalent using manage-bde, with the protector's ID from "manage-bde -protectors -get"
manage-bde -protectors -adbackup C: -id "{00000000-0000-0000-0000-000000000000}"
For Microsoft Entra hybrid-joined devices, the recovery password backs up to both AD DS and Entra ID. For Entra-joined-only devices, it goes to Entra ID instead, using the equivalent -aadbackup switch on manage-bde -protectors.
Console, Settings, and PowerShell
On a client machine, BitLocker is managed from Control Panel > System and Security > BitLocker Drive Encryption, or the newer Settings > Privacy & security > Device encryption pane on devices that qualify for the simplified device-encryption flow. Both let you turn BitLocker on for a drive, suspend protection, and print or save the recovery key.
On Windows Server, BitLocker isn’t installed by default — it’s an optional feature. Microsoft’s own guidance is to install it and configure it once via Server Manager or PowerShell, then manage it day to day with PowerShell rather than the GUI:
# Install the BitLocker feature with all management tools, then restart
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
# Preview what a full install would add, without installing anything yet
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf
Commands
manage-bde is the command-line tool that predates the PowerShell module and can be used in place of the Control Panel applet. The BitLocker PowerShell module is generally preferred for scripting, since it returns structured objects instead of parsed text. Both are shown below, grouped by task.
# --- Status ---
# Show BitLocker status for every drive (manage-bde)
manage-bde -status
# Show BitLocker status for every volume (PowerShell)
Get-BitLockerVolume
# Show every attribute for one volume, including its key protectors
Get-BitLockerVolume -MountPoint "C:" | Format-List
# --- Enabling encryption ---
# Turn on BitLocker for C: with TPM + PIN (manage-bde)
manage-bde -on C: -tpmandpin
# Turn on BitLocker for C:, adding a recovery password (manage-bde)
manage-bde -on C: -recoverypassword
# Turn on BitLocker for C: with TPM + PIN, encrypting only used space (PowerShell)
$SecurePin = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecurePin -TpmAndPinProtector
# --- Managing protectors ---
# List all key protectors and their IDs for C: (manage-bde)
manage-bde -protectors -get C:
# Add a recovery password protector to an existing volume (PowerShell)
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
# Add a domain account protector to a data volume (PowerShell)
Add-BitLockerKeyProtector -MountPoint "E:" -ADAccountOrGroup "CORP\HelpDeskEscrow" -ADAccountOrGroupProtector
# --- Unlocking and lifecycle ---
# Unlock a locked data drive with its recovery password (manage-bde)
manage-bde -unlock E: -recoverypassword 123456-123456-123456-123456-123456-123456-123456-123456
# Unlock a data drive from PowerShell
Unlock-BitLocker -MountPoint "E:" -RecoveryPassword "123456-123456-123456-123456-123456-123456-123456-123456"
# Suspend protection for one planned reboot (e.g. before a firmware update)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1
# Resume protection after maintenance is done
Resume-BitLocker -MountPoint "C:"
# Decrypt a volume entirely and remove all protectors
Disable-BitLocker -MountPoint "C:"
RebootCount or resume it manually straight after the maintenance window.
Version Boundaries
BitLocker’s capabilities have grown across Windows and Windows Server releases, and a few boundaries are worth knowing before you plan a rollout.
| Capability | Introduced / boundary |
|---|---|
| BitLocker enablement | Requires Windows Pro, Enterprise, Education, or Pro Education/SE — not available for manual configuration on Home editions. |
| TPM requirement | TPM 1.2 or later satisfies the BitLocker integrity-check requirement; devices without any TPM must use a startup key instead. |
| XTS-AES encryption method | Introduced with Windows 10, version 1511. Removable drives that need to stay readable on Windows 8.1 / Windows Server 2012 R2 or earlier must still use the plain AES-128/AES-256 (CBC) method instead of XtsAes128/XtsAes256 for backward compatibility. |
| Network Unlock | Introduced with Windows 8 and Windows Server 2012, letting TPM-enabled devices auto-unlock the OS drive over a trusted wired network at boot. |
| Device encryption prerequisites | Historically required Modern Standby or HSTI compliance and no externally accessible DMA ports. Starting in Windows 11, version 24H2, those DMA/HSTI/Modern Standby prerequisites were removed, qualifying more hardware automatically. |
| Windows Server | BitLocker is an optional feature, not installed by default; install it with Install-WindowsFeature BitLocker and a restart before any of the cmdlets or manage-bde are usable. |
Troubleshooting Cheat Sheet
| Symptom | Likely Cause | Fix |
|---|---|---|
| Machine boots straight to BitLocker recovery screen | A boot-chain measurement changed — firmware update, boot order change, disconnected/added disk, or Secure Boot setting flipped. | Enter the recovery password to get back in, then remove and re-add the TPM protector so it re-seals against the new measurements: manage-bde -protectors -delete C: -type tpm, followed by manage-bde -protectors -add C: -tpm. |
| Recovery password not found in AD DS | The “Store BitLocker recovery information in AD DS” policy wasn’t enabled before the drive was encrypted, so nothing was ever escrowed. | If the machine is still accessible, back the existing protector up manually with Backup-BitLockerKeyProtector, then enable the policy so future protectors escrow automatically. |
Enable-BitLocker fails with no eligible key protector |
No TPM present, and no startup-key or password protector was specified for a TPM-less device. | Add a startup key on a removable drive with -StartupKeyProtector -StartupKeyPath, since a TPM-less operating system drive cannot rely on TPM-only protection. |
| Drive stuck at “EncryptionInProgress” indefinitely | Encryption paused itself, often due to a pending reboot, battery/power state, or detected user activity slowing the background pass. | Check Get-BitLockerVolume for VolumeStatus, then Resume-BitLocker once the device is plugged in and idle. |
| Cannot add an AD DS account protector | AD DS account protectors are only valid on data volumes, not operating system volumes, and cannot normally be added remotely without constrained delegation configured. | Add the protector locally on the target machine, or configure constrained delegation first if remote administration is required. |
| Group Policy sets recovery options but nothing changes | The policy only affects drives encrypted after the setting takes effect — it doesn’t retroactively touch already-encrypted volumes. | For already-encrypted drives, add or back up the missing protector manually with Add-BitLockerKeyProtector / Backup-BitLockerKeyProtector. |
Final Thoughts
BitLocker is easy to treat as a checkbox — turn it on, move on — until the day a laptop won’t boot past the recovery screen and nobody can find the key. The feature is genuinely simple underneath: one encryption key, wrapped by whichever protector you chose, with the TPM doing continuous, silent integrity checking so long as nothing in the boot chain changes.
In a domain environment, the piece that turns BitLocker from a personal safety net into an operational control is the AD DS recovery-key escrow. Configure it before drives get encrypted, not after, and a lost PIN or a firmware-triggered recovery prompt becomes a two-minute help desk lookup instead of a data-recovery incident.
Get-BitLockerVolume | Format-List on any protected machine. If ProtectionStatus is On and KeyProtector includes both a Tpm entry and a RecoveryPassword entry, the drive has both its everyday unlock path and its fallback covered.
Next, we can look at Credential Guard and virtualization-based security — the natural extension of TPM-backed protection past the disk itself and into how Windows isolates credentials in memory.